Hacked - Contact High
Episode Date: June 30, 2020Jordan Bloemen & Scott Francis Winder chat with Nex, head of the Amnesty International Security Lab, about the rise of digitized contact tracing around the world. If you like the show and want to mak...e sure we can keep making it, please subscribe and if you can visit https://www.patreon.com/hackedpodcast and show us some love. Also - don't forget to check out our loving sponsors: Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
How much do you know about Bahraini and game shows?
Absolutely nothing.
Perfect.
That is audio from Are You at Home, a game show that airs in Bahrain, where the audience can win a big cash prize, as long as, and this is important, they're in their home watching while the show airs live.
If you win, you get a video call at home from this enthusiastic game show host, and as viewers, you get to watch people get to watch people get.
this call and it's exciting because they're excited because they want a bunch of money.
It's fun. Are You at Home is fun. Are You at Home is broadcast by Bahrain TV, a state-run
television network and the Bahrainian state, a constitutional monarchy overseen by King Hamad
bin Issa al-Khalifa has, like every other state in the world, spent the last four months
grappling with this global pandemic. Like many governments, in March, Bahrain rolled out their
contact tracing app. It's called be aware. The nature of and how well a user's data is handled
is really, really essential to how secure a contact tracing app is. How we achieve that is this big
problem. Some of the biggest tech companies in the world are grappling with right now. But if you
want a secure contact tracing app, and if you want to know if a contact tracing app is secure,
you need to make sure it's taking the right kind of data and storing it in the right way.
Which brings us back to Bahrain.
And this game show, Are You at Home?
Imagine you're sitting at home watching this game show and suddenly you get a call.
You've won.
You answer the call.
You chat with the host.
You get a prize, what a day.
But persistent in the back of your head is the fact that you did not sign up to take part in Are You at Home.
You didn't give anyone your name or phone number or physical location.
at this program, operated by state-run television channel, seems to have all of it.
And considering the fact that instead of anonymizing your data, you have to use your national
ID to sign up for Be Aware. Tethering the data the app access is not just to your device but to your
name, we can pretty easily imagine how are you at home got all that incredibly private,
incredibly privileged information. If you had any question whether your data was secure, not just
your location, but all the other private information be aware has access to, just know that it was
given to a game show. Just know that the Bahrainian state has publicly published this sensitive
personal information of suspected COVID-19 cases on the internet, including people's health status,
nationality, age, gender, and travel history. You can go read it right now. Just know that if you
live in Bahrain and you don't really like this and you choose to not carry your phone, the
government has begun using Bluetooth bracelets to make sure that certain people never get too
far away from the machine that's now tracking them. Removing the bracelet is punishable by a very
large fine. Contact tracing is a contradiction. On one hand, it's a potentially powerful tool in our
arsenal as a society to fight the pandemic. If we're going to keep the gears of our society
turning in the delta between outbreak and vaccine, we need a way to accurately track the spread
of the virus, to tell people when they've been exposed.
We have the technology in our pockets to do this.
We should almost certainly be using it.
On the flip side, really the only people with the platform to publish these tools in a way that properly integrates them with our healthcare system is the government.
And depending where on earth you live, you might not have the ability to keep that government accountable.
On the other, other hand, go ahead and check the permissions on your phone right now.
now and think really hard about what you will give that data up for, if not for this.
Amnesty International Security Lab has been investigating contact tracing around the world since April.
We started really looking at this in the beginning of, and of April probably, and a couple of months then it became obvious this was going to be an issue that was going to be at the forefront of a lot of discussions around COVID-19.
in many places.
That's Amnesty International Security Director
Claudio Gornieri, aka Next.
And there was a lot of information coming out,
as well as a lot of misinformation coming out
or misunderstandings coming out over what this app
were supposed to be doing, what they were actually doing.
And so then we decided that it was necessary
to spend some more time and look a little bit more in depth
into some of these, and then study,
kind of picking apart some of the ones that we immediately found to be a little bit more
concerning.
The Amnesty International Security Lab has been investigating in publishing findings on contact
tracing apps in Kuwait, Qatar, Norway, and relevantly Bahrain.
Those that were either imposed as mandatory, for instance, which is something that we are
advocating against, or that quite openly advertised access to, to, to, to, you know, to
to potentially sensitive data.
We wanted to understand the contradictions
at the heart of contact tracing.
So we hopped on a call with NECS
to talk about the tech behind these tools,
the vulnerabilities that they expose,
and whether or not you should download them.
Here, on Hacked.
We should probably define what contact tracing is.
Sure.
Probably should have done that before.
I just told a six-minute story.
About contact tracing.
About contact tracing.
Contact tracing is an old paper pen process of essentially finding out who someone's been in contact with, literally contact tracing.
Digital contact tracing at least is an attempt at digitizing that process of establishing contact between people who have been potentially exposed to the virus.
So in epidemiology, contact tracing from a human perspective is a very well-established practice.
So if you, you know, come down with, you know, a virus or something else or, you know, any other reason why they need to know who you've been in contact with recently, somebody comes and asks you a long list of questions, what have you done? What did you do these days? Where were you? Who did you see? Do you talk to anybody, et cetera, et cetera? And they figure out kind of what your social, your physical life social network has been, you know, for trying to trace who you've been in contact with because they need to be in touch with those people.
Contact tracing apps look to do digitally what healthcare workers have been doing manually since at least the late 1800s,
when public health officials would manually track the spread of smallpox from one household to another.
The problem with it though that came apparent with COVID-19 was kind of this scale obviously of the pandemic
and the burden that these whole put on health authorities,
it kind of brought the argument that these needed to be streamlined and digitized in order to release.
in order to relieve the health workers from doing this as well, given the scale of this problem
and the wide distribution of the infections that were happening.
How do you digitally track who has been in contact with who?
Because who someone has contacted is different than where they've physically been?
There's been a few different approaches or proposals and how to do that, leveraging different types of data.
You had seen early on proposal to collect records from cell towers, for instance.
So that eventually was sort of abandoned because it was obvious that it was not accurate enough.
And then he moved on to other possibilities.
So there's been attempts that, you know, or proposals to look at doing contact tracing using GPS tracking.
And some countries actually ended up doing so.
Say you're a health authority trying to use smartphones to track who has had contact with who.
You can't have contact unless you're in the same physical location,
so your first instinct is going to be to track people's physical location.
The trouble is, cell phone towers are inaccurate,
and if GPS works, you're now monitoring the physical location of your entire populace,
not just when they potentially come in contact with the disease, but all of the time.
And people hate being tracked all of the time.
time, which is when Singapore shows up.
And at the beginning, Singapore, I suppose, was the one that put this on the spot as a potential
method was using Bluetooth as a vehicle for contact tracing, and many others have then followed,
and Apple and Google and so on came with their own implementation.
And with it essentially, the principle is always the same.
You know, authorities need to be able to establish what are, a reconstruct whom, with
whom other people that have been found infected have been in contact in the period of incubation
of the virus.
But regardless of which method a country ultimately decides to use, all of these approaches
are really trying to do the same basic thing.
And so that all of these start to solve this problem, all of these different attempts
try to solve this problem of how do you digitize human contact?
How do you create a virtual record, an electronic record, that represents a different,
accurately as possible human contact, which turns out it's not a trivial thing to do.
But, you know, we're seeing now kind of a trend towards somewhat of a standardization around
using Bluetooth as a primary tactic, let's say.
Before we dig deeper into this, like what do you think about that tactic? What do you think about
that trade-off? Yeah. Like the, you know, in the discussions about, you know, Bluetooth and GPS
and all the rest of this stuff.
You know, I think there's, what, 86% of North Americans,
and I'll speak about North America because that's where we live,
have smartphones.
So there's a bunch of other people out there that, A, don't have phones,
B, don't have smartphones, C, might not have devices with Bluetooth.
So there would be a bunch of people left out of that equation,
even if we were to go GPS.
But Bluetooth is way more fallible than a GPS solution.
So it's something.
like at what point and at what error do we just not trust the system? Like I'll tell you from a
lifetime in tech garbage in garbage out. And if the system is completely useless because it's only
you know sub 50% reliable, then it's not even worth having. Because if we put any trust into it
and it fails to perform, then we're just going to trust it less and less.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora superintelligence platform with fully agentic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy,
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
and the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate,
agents that respond at machine speed,
and hundreds more that automate the repetitive work
that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform
so every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive
risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like,
go to arcticwolf.com slash hacked.
This is not the first time that people have had to figure out the balance between security
and autonomy in a big fat rush.
Beautiful.
Beautiful.
Unethical.
Dangerous.
You've turned every cell phone in Gotham into a microphone.
And a high frequency generator receiver.
You took my sonar concept and applied it to every phone in the city.
With half the city feeding your sonar, you can image all of Gotham.
And also, uh, real things.
Today, the president signed a big new anti-terrorism bill that would expand the government's
ability to track down terrorists, but at some cost.
To figure that balance out, you really have to understand what info you're giving and what is being done with it in order to be able to draw a line of what you will and won't accept from one of these apps.
You can look at this from different perspectives.
You can look at it from an utilitarian perspective, and in that sense, the more data the better.
Obviously, we look at it from a human rights perspective, so we try to provide a human rights interpretation to
to this new technology as well.
And when we do this, and we do this with every emerging technology,
not just contact tracing, but everything, instead of new that comes along,
that has a potential to erode fundamental rights.
Essentially, we apply two or three preconditions.
The first one, obviously, being this technology that is being introduced
and that has a risk of eroding people.
So I'd say privacy in this case needs to be necessary.
And that's a very tricky one to answer in this case.
because of the fact that it's not something that has been done before, really not at this scale.
And we don't really know yet what will be the outcome of these experiments, let's say.
So it's hard to really kind of argue both in favor and against the necessity of digitizing contact tracing in this way.
I think personally I think it's sort of an experiment that we'll have to leave through and see the end of
to really have a solid judgment on, although personally also have a lot of reservations and various aspects of it.
What's the second metric that you take into account in these situations?
The second criteria is proportionality.
We need to look at this new technology and see
what is being done or requested citizens and people to sacrifice
in terms of fundamental rights, in terms of privacy,
proportionate to the goal that these new technology is trying to achieve.
And so in this case, when we look at the proportionality of these technologies,
essentially we need to take a few steps back.
So if a technology has been proposed
and a contact tracing approach has been proposed
that have characteristics that by default
are more respecting and preserving people's rights,
so people write to privacy,
and still serve that purpose of,
you know, provide a functioning model
to serve that original goal
that has been proven necessary,
that for us, that's already an initial.
step that needs to be at least explore and taken before moving on to more invasive measures and
more models that would even further erode people's rights to privacy.
I think that is the good question because it's like where is the trade-off that we're comfortable
with? Is are we comfortable trading off our personal privacy for a more of a community
result? We all sacrifice our personal anonymity. We sacrifice our personal anonymity. We sacrifice
privacy we sacrifice lots of things but we do that for the collective good you
know we've just come through a period where we've all sacrificed a lot for the
collective good and this just begs the question of when do we stop sacrificing and
who do we trust with our sacrifices then there's a next question of what
happens to these data you know who owns this data how frequently is being
collected and where it is being collected and stored and where the analysis
of this data happens
And that's where the whole debate of centralization versus centralization kind of comes in.
But as it stands, so with all of the options that we've seen so far,
and all of the approaches and models that have been proposed so far,
what seems to us is that those that apply decentralized architecture with Bluetooth contact tracing,
with sufficient cryptography and privacy protection in place so that, you know,
identifiers are rotated and all possible meet, all possible the anonymization,
anonymization and attack that could be done against the system or minimize as much as possible
are the ones that we think are favorable and are the ones that we think should be at least explore
first. And there needs to be a consensus of whether this is sufficient or not for the purposes
of this pandemic. Pay me a picture of what, I guess, the most secure, the most private versions
of one of these apps would look like. Take me through how this decentralized,
Bluetooth-based version of this works.
Yeah, let's take, for example,
the case of an app that does contact tracing
using Bluetooth.
And that is the case in most Western countries
at this point and in others as well.
So the basic functioning here is
you have the app installed, I have the app installed.
It's running in the background continuously,
and the app essentially are constantly transmitting
messages in the ether, let's say,
with my own identifier in it.
It's, let's say, a computed string of some sort
that uniquely identifies my device.
Your device does the same, so your app does the same,
and when we meet or when we share a space,
let's say, I don't know, in the line at the supermarket
or because we get a coffee or something,
our two phones, the apps are exchanging these identifiers with each other.
So they can mark a record in an internal database,
of the app who I have seen, which identifiers of other users have I seen in my proximity,
and the proximity with Bluetooth tends to be between, you know, at maximum 10 to 20 meters
distance, then the signal sort of loses out, so you don't see any other people around you,
and that's why it's sort of being favored for this particular tracking, because technically you
only want to have records of people that are very close to you. And so in this case,
this is sufficient for this measurement.
And so these records that are stored and in your app's internal database, let's say,
you will have a record of all of the identifiers that you have seen in your proximity at what day and what time.
Which brings us to decentralized storage.
Where all that data is not being uploaded to any central location.
It's typically kept on the device.
So the app does not transmit anything to any central location.
The only circumstance where data is uploaded is when someone is being found as positive with COVID-19.
And even if, you know, you could argue, well, it's fine.
I trust the health authorities to use this and to not abuse access to this data and to not use it for any other purpose than COVID-19.
And that obviously is a lot of assumptions that you're making because we can't really know in advance.
is law enforcement going to request access to these data for other purposes?
For instance, for law enforcement uses or for immigration control or for God knows what else.
And given the sensitivity of the data that the system aggregate,
that's why it needs to be, we need to pay particular attention and be particularly careful with their management.
I appreciate that we're really looking at this from like a privacy and human rights perspective.
But I guess just from like a almost like a personal or utilitarian perspective, like what do you think of this, Scott?
A lot of what I was saying is under the privilege of being a Canadian, no doubt.
This has been going on.
Like most of the, most people out there who are worried about this are already giving this information away.
They're just giving it away for nothing instead of the, you know, a major social and physical benefit to society.
So it's like, to me, it's, to me, if I was building this system, it would be concurrent GPS based all the time.
and it would be centralized and queriable.
So the second you had your COVID test or your Corona test or any tests,
like let's assume that, you know, this isn't the first and last pandemic.
You know, when you go in for your test, you also scan in your track ID or whatever the code used in the API will be.
And so the second the system knows whether you're positive or negative,
it knows who to alert because it can see in the proximity information from the GPS.
Granted GPS is consumer GPS isn't, you know, within six feet.
It's like within 30, but better safe than sorry.
Especially if you've been touching services and things like that.
If I was looking to do this in the most utilitarian way and trusting that this information will be secured, safe, and kept to the best of people's ability, not only that, but most of this information exists already and is being given out to third parties already.
And people have consented to that already.
I think that this is, to me, this is something that, you know, we should be discussing as a society in a much deeper, stronger way about, you know, collective good.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches, from sophisticated ransomware operators to AI-enabled attacks that turned defenses on their head.
Organizations around the world saw headlines they never expected and cybersecurity teams were tested like never before,
But here's the thing. These incidents aren't just news headlines. They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th, diving the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened, but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving, how defenders are responding, and what strategies can help you stay ahead of the next big breach.
It's not fear mongering. It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hackt.
Because I'm curious, can you sort of tell me a little bit about your findings in regard to this,
this handful of countries whose apps really raise privacy and security alarms for you?
We single out a few of these countries, specifically, Bahrain, Kuwait, Norway, and earlier on Qatar,
because of kind of the particular implementation that they decided to adopt that we found to be problematic.
So in the case of Bahrain and QAid in Norway, for instance, all of them share a similar design from a foundational point of view.
So all of them do live GPS tracking at different frequencies.
So in all of these three cases, we have kind of both that kind of what we believe to be excessive tracking.
so real-time GPS tracking and centralization in place where the data is automatically collected by
the authorities and they're stored somewhere. The issue that we found with Qatar that made it
particularly worrisome was one the app was being mandatory at the end of Ramadan and what we
noticed is on top of just doing this Bluetooth contact tracing this app also upon registration and they
required a phone number as well as your national Katarian national ID to register an account
with, then the app would also display in the main view a QR code, a colored QR code that
is then being used by authorities at checkpoints and by police patrols and so on, in order
to check if you indeed have the app installed, but also to check your health status and see if you're
supposed to be in quarantine or not. And we found an issue with the way that the app were downloading
in this QR code that would allow anybody with a sufficient technical know-how to assess
download a QR code for anybody in the country the app installed.
So you could essentially crawl out all of these millions of QR codes that would not only tell
you the health status of a particular individual but also their names in English and Arabic.
They would tell you their designated confinement location and GPS coordinates, so supposedly
their home, the location of their home addresses, as well as other details such as if they
are being treated in isolation, the name of the medical facility and so on.
So that was kind of particularly worrisome.
That's why we disclosed it early on,
because we got in contact with the health authorities in Qatar
and tried to get a resolve as quickly as possible.
And to their credit, they did.
They minimize the data exposure pretty quickly
and eventually released an update to the app.
But it was a perfect example of, you know,
this is what can happen if these apps are rolled out too quickly
without appropriate considerations in place
over what happens to this data
that it's being suddenly centralized,
especially this level of,
of detail and with this amount of sensitive information about individuals, not just their names,
but also their health status and so on and so on.
Do you think these are mostly mistakes, or do you think there are bad faith actors?
It's hard to tell. I mean, broadly speaking, I started with a presumption that health authorities
that are involved in building these tools, do it in good faith, and under a lot of pressure.
I think others have used it as a mean to, yeah, let's say to show a little bit too much to the population they were doing something while neglecting other things that perhaps were a little bit more important.
Let's say, you know, we have some circumstances in countries that are put this issue of these contact tracing apps at the front of the agenda while they were still not investing sufficient efforts in providing kind of access to death.
thing to the people.
Right.
So should I download it?
Like I guess the sort of finalish question, like, is it worth it?
Because I think I sort of get the equation that this is a balance of necessity and
proportionality.
But like, I want to stay secure, but I want to help however I can.
So do I download one of these apps?
How do I make that decision?
That's a very good question.
So this is a question that I was asked.
as well in other occasions, especially in countries that were, for instance, we highlighted issues
and where we found concerns. And I've been asked, would you install it, would you tell
people to install it or uninstall it? And it's not something that I feel really comfortable
answering because ultimately it's really a kind of a personal analysis that one needs to make.
So the main requirement here, though, is that analysis and that decision, firstly, has to be
free and voluntary.
And so at the point where it's mandatory or ready, we're in the wrong, because then it is
not really a free choice.
Then at that point, the second problem is, do you actually know well enough about what the app is doing
and what happens to the data that is being collected?
And in many cases, we've seen that that is not necessarily the case.
the case. So to me, and this is me being, you know, Scott the Infosec guy who was, you know,
freedom of whatever, like has been around the space forever. This is something where I feel like
we're going to need to flip the switch and give it up. Yeah. This is just one of those
situations where it's like, you know, we're talking about real harm. Like we're talking about physical
death, like the value of lives, the value of collective and wholesale lives. Not only that, but then we're
also talking about the repercussions it's having as well as the closures. Like we're, like, not only do
we have physical harm, we have economic harm, which is going to cause more social harm, which is
going to cause more, you know, everything, crime, et cetera, et cetera. Like, this is a cascading
waterfall that no one wants to be a part of. And collectively, as a society, we're going to have to just
deal with it.
And for me, you know, this is just me personally.
Like, I would be, I would want this solution to be the best that it can.
And to me, the best solution, best version of this solution is not the one that's the most private.
And that's sad to say, but it's true.
It's like, you know, we have to make some tradeoffs between, you know, collective health and personal rights.
And it's like, we make those tradeoffs every.
day and I think society is trying to find a new balance with what's going on and this is oddly
another piece to that balancing act. Ultimately I don't think the answer to the COVID
is a technological one. But you know we have to at least explore these options and see if it can play
a role but it can only play a role in so far as there's a coherent and well-executed health
care plan that takes into account all of the different avenues of response to this pandemic
and takes into account not just building a gadget that people will get behind, but, you know,
providing access to healthcare, providing access to testing facilities, providing all of these
different services and response measures that are more necessary than probably just app the app itself.
But we'll have to see. We have to live through and see the end of it, I feel.
What a nice, straightforward, easy, simple, fun story to take your mind off a complicated world we just told.
A big thanks to Next for joining me is a complicated topic, but it was a really fun conversation to get to have.
And I hope it was, you know, informative or interesting to listen to.
If you want to support the show, subscribe, comment, five stars, tell people, and check us out.
Patreon.com slash hack podcast.
Stay safe out there.
And we're going to catch you on the next one.