Image

Image

Image

Tyler Reguly, @treguly
I’m very impressed with the COVID-19 tracing apps that are using the built-in functionality provided by Apple and Google. It is the first time that I can remember that every security and privacy enthusiast I know on social media has appeared to agree on a new technology. I haven’t seen any negative posts among people that I trust related to the feature. There are limitations, particularly with regard to older devices, but I understand those limitations. While we tend to push technology as long as we can due to cost, it is true that technology becomes dated and that upgrade options are limited. In Canada, I feel that there could still be more done to raise awareness to the tracing app and its configuration, but word of mouth seems to be relatively effective in this case. The question is how many people are refusing to turn it on? The app can be very effective, but only if people use it. How do we convince people who don’t believe in COVID-19, masks or the pandemic to install an application and enable a feature when they’re already convinced of multiple anti-technology conspiracy theories? Much like most of enterprise security, the issue is not the technology but the end-user. I feel safer with the app installed. I’m venturing outside again thanks to the belief I have in the power of the app, but how do we convince everyone to do this when the world can’t agree on less divisive topics?An Anonymous Contributor
Whilst it's great to hear that Apple/Google collaborated on this project, there are still some questions on how effective they can be. I don't have the answers because it's a hard topic. Sharing movements, tracking interactions and essentially mapping our lives is a scary thought. We've seen time and again that when this information is shared voluntarily with the belief that it will be used for one purpose, it is either lost, stolen or used in a way that wasn't voiced. I love the idea that an organization is building a solution to help, but historically, that trust has been broken over and again. You may argue, "Well, this information isn't going to identify me"; however, we know that data aggregation isn't some futuristic thing. This is used daily; it's the reality of our world. I do appreciate the work Google and Apple have done. I love that they have embedded security standards that developers must follow to gain access to the API. However, it still takes a small failure here, a forgotten about thing there, to cause harm. It is good you can volunteer to provide information. It is good you can opt out and delete historic data. It is also good it's an opt-in service, I.e. off by default. However, I'm not going to say I am at a point where I trust this will be used completely anonymously and safe. I have also not touched on the following: how do we verify that the user who is submitting the illness report is being truthful? Most reports are saying this is validated by their mobile number entered and a code provided. However, that's still a single form of validation. It's the one person. What if they're lying to spread fear or simply think it's "funny"? I realize that my mobile phone is tracking all I do. It's already monitoring me. However, I'm not at this point convinced that the best approach is to specifically enable a feature that will identify all persons I have been near. Maybe after it's been proven safe and effective, I will come around, but history tells us this can also lead to disaster. It's concerning. I don't want to normalize this tracking.David Bisson, @DMBisson
It's unclear to me why Apple came out with this feature when it did. On August 24, 9to5Mac.com found that only six states—Alabama, Arizona, Nevada, North Dakota, Virginia and Wyoming—had committed to using Apple's Exposure Notification API for COVID-19 tracing. (Pennsylvania and South Carolina indicated that they would eventually participate.) Information for the rest of the states was not available. As reported by PolitiFact, seventeen states indicated that they didn't intend to use the API, while the rest didn't respond. That begs the question: why create this API without the commitment from more public health authorities that their states will ultimately use it? In the absence of greater adoption and coordination with public health authorities, this API could needlessly expose users and their devices to potential attacks without providing a meaningful benefit for the majority of Apple's user base in the United States. What are your thoughts about this new tracing application? We would love to hear your comments over at @TripwireInc.Editor’s Note: The opinions expressed in this article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.