Due to the corona pandemic, numerous new regulations and measures to contain the virus were introduced at short notice. How do these regulations and measures affect data protection and IT security? An interview with Dr Aleksandra Sowa.
Dr Aleksandra Sowa is an author, data protection auditor and data protection officer. She is a member of the SPD Basic Values Commission, and sits on the Committee for Internal Affairs as an IT security expert. Dr Sowa founded and ran the Horst Görtz Institute for Information Security, together with the German cryptologist Hans Dobbertin. She has written several books and specialist publications on data protection and IT security.
The federal government is currently placing its hopes in a data protection-compliant Corona Tracking App. As part of the pan-European Privacy Preserving Proximity Tracing Initiative (PEPP-PT), 130 scientists from eight European countries are working on the technology for this app. How exactly will the app work, and what does it plan to achieve?
There seems to be no agreement on what functionalities and technologies the planned tracking app should include, even within the PEPP-PT consortium. Some contributors have left the PEPP-PT initiative in the past few days. Until we have certainty about how the app will meet its target – and what that target is in the first place – no reliable impact assessments of its data protection or security can be made. The idea behind the tracking app is basically similar to video surveillance in the subway: it won’t save lives, but it should help to throw more light on the disease. However, it can also be used as an electronic shackle to monitor quarantine compliance. Apparently some countries are already doing that.
Apps have had considerable success in Singapore and South Korea. What’s your view on that?
It mostly depends on how you define success. A vaccine or effective drugs would probably contain the epidemic more effectively than an app.
A quick fact check on the European Corona app: Are data protection requirements met when tracking uses Bluetooth, local storage and pseudonymisation / anonymisation?
Bluetooth is my biggest headache: for years, we’ve been told repeatedly to turn off Bluetooth for security reasons. But for the tracking app to work, connectivity has to be permanently activated. You don’t need to invent new attack vectors to access private information on mobile devices; the existing ones are quite sufficient. When you consider that some banks have switched their online banking to apps completely, i.e., both the banking and access key generation are done via app (two different apps, but on the same device), cyber criminals don’t need much imagination to use that active access. And then perhaps we’ll say, “Ok, my account is empty and I’m broke, but at least I’m still healthy!“ I’m deliberately exaggerating a little here…
Surely the European technology is a prime example of ’privacy by design’?
Ideally, you should factor the possibility of data protection violations and relevant attack vectors directly into development work. In the security sector we call that ’shift left’. That means taking protection requirements into account from the outset in product development, or preferably earlier still in the concept stage – not just during commissioning or go-live. That could have been implemented very effectively on a new development app; when IT systems are already operative it’s not so trivial. The penetration test planned for the tracking app is an important test method, but not necessarily the non-plus-ultra. In the words of Edsger Dijkstra, the computer pioneer: “[…] program testing can be a very effective way to show the presence of bugs, but it is hopelessly inadequate for showing their absence. The only effective way to show the confidence level of a program significantly is to give a convincing proof of its correctness.” Plus, the tracking app pentest will only cover data protection aspects – not cybersecurity.
You’re an expert for IT security on the Committee for Internal Affairs. What about the tracking app’s (disregarded) security aspect?
Christina Kampmann, a Member of the State Assembly in North Rhine Westphalia, warned in a live chat at the Friedrich-Ebert-Foundation that acceptance levels will drop if there is any doubt whatsoever about the reliability, data protection or security of the tracking app. So it’s all the more astonishing that apparently, security requirements have not been considered at all. The Federal Office for Information Security (BSI) recently published a technical guideline called ’Security Requirements for Digital Health Applications’ for manufacturers of software programs – including apps – for mobile devices. However, the guideline is only in the ’trial use’ phase. That means they’re still gathering experience on applying the test aspects, a process that relies on industry feedback. Also, the technical guideline is not binding. Mobile app developers in the healthcare sector can use it as a support tool, but they are not obliged to. We’re still missing a fundamental decision here. On the Committee for Internal Affairs I asked the Bundestag almost exactly a year ago – on April 9, 2019 – to make up their minds: Do you want to keep promoting technologies that strengthen surveillance and monitoring of people’s lives and work? Or do you – finally – want to invest in technologies that enable new life and work concepts that strengthen freedom and democracy, and by doing so, fulfil your responsibility to protect citizens? In view of today’s discussion on a tracking app, that question is more valid than ever. No, technology won’t cure us – at least not this one. Yes, we do need a radical cut in spending on technologies that strengthen surveillance, and a radical shift away from legislation that supports their development. What we need are investments in healthcare and research that deliver drugs and vaccines for today’s and tomorrow’s pathogens – tools that can save our lives not just virtually, but haptically.
In many companies, the corona crisis has accelerated digitization and is still doing so. Companies, IT departments and employees have had to digitize faster, and sometimes more successfully, than expected – for example by working from home. How can companies and employees protect themselves from phishing attacks and other threats by hackers?
The pandemic is having an impact on information security too. Among other things, this shows up in higher numbers of COVID-19-related phishing and malware campaigns. The framework parameters are favourable. Many companies have switched to home office, mobile workplace or flex-work modes, and are moving nearly all communications to electronic channels. In the current situation, cyber criminals are exploiting the higher need for information to obtain sensitive data via phishing. Phishing is one of the oldest types of attack, and it’s still very successful. Phishing is very hard to ward off with traditional security measures, so awareness and information are recommended to make people aware of the dangers.
As an example, the World Health Organisation has set up a website to combat the wave of phishing that uses WHO content. The site explains how to recognize phishing, and what to do in the event of a successful attack. Awareness is important, but it has its limits. The Internet and home offices should be a safe working environment for all users – not just an initiated minority. With today’s technology, you should be able to click on an email without triggering a virus Armageddon. It’s important to make systems resilient. People should invest in more resources and better technology that can identify malicious content in file attachments better than before. And they should implement containerized solutions so email attachments can be opened in a secure environment. Incidentally, that would be a good task for IT after the corona crisis as well.
If I don’t have a work computer, what do I need to watch out for when I back up work data on my private computer?
First of all, it’s worth checking your company’s classification policy to see what not to touch on your private computer in the first place. That includes documents and communication marked ’strictly confidential’, ’confidential’ or ’sensitive’, contract information, specific types of personal data and more besides. For written communication, you can use a simple form of encryption by giving Word documents a password and sharing that password with the recipient. It’s important to use two different communication channels: you send the document by email, and share the password by phone. If you’re not sure whether information might be confidential after all, or if you need more protection, use home remedies like ZIP encryption. This has the advantage that you can compress larger files at the same time. ZIP encryption is considered strong, providing you don’t send the password together with the packaged document. Again, you should use a second communication channel to share the password. Other essential aspects of working in BYOD mode, besides secure data transmission, are protection against malware and secure data storage (storage on unencrypted local drives). Experts recommend this type of collaboration if you can work via Virtual Desktop Infrastructure (VDI).
How do you solve the problem of insufficient licensed VPN or two-factor authentication access?
You can use various solutions from different providers for secure connectivity. In addition to VPN, VDI solutions or SSH are also recommended for connections with high protection requirements. Terminal servers are also good for medium protection. Many companies and organisations began initiating and supporting the switch to home office working years ago. They enable their employees to work from a suitable, preconfigured, secure workstation – from home or on the move.
Zoom’s video conferencing software is very popular, particularly in the corona crisis. But now there are growing numbers of reports about data protection and data security issues. What do you think are the most serious issues with video conferencing software?
To quote the journalist Christiane Schulzki-Haddouti: use a good microphone. Poor audio quality really undermines effective communication. And if your video conference is easy to eavesdrop, not protected against third-party access, is recorded without the participants’ knowledge or the recordings are stored on unsecured platforms, you really do have to ask what the advantage is compared to a normal phone call or conference call. Ecological aspects – for instance higher energy consumption and network load – are other factors when you’re considering whether a video conference is really necessary, or whether a conference call or even a chat would be completely sufficient.
Which alternative meeting apps or video conferencing software providers are worth recommending?
According to the Berlin data protection authority, hardly any! But I wouldn’t go quite that far. It’s important to watch how manufacturers deal with reports about security gaps in their systems. A company like Zoom deserves a chance in private or non-sensitive fields because it took criticism seriously, reacted, and made improvements quickly. Those are important qualities because security and hazard situations change rapidly.
As the German cryptologist Hans Dobbertin said, ’There is a continuous race between code makers and code breakers’. Companies that can react and retrofit quickly when new vulnerabilities or attack vectors become known have a clear advantage. But for business, government or political operations you should look for solutions that offer higher protection: Open Source Jitsi Meet, Cisco Webex or Microsoft Skype for Business, to name just a few. In the crisis situation, some video conferencing providers are offering their solutions free of charge for a limited time – often as full test versions.