(versione in italiano qua)
A few days ago I described one of the approaches based on digital technology that is being developed to combat COVID-19, DP-3T, highlighting some elements that should be improved to protect privacy.
I develop here a more general reflection on the impact of technological choices relating to the use of digital solutions for the management of the emergency health situation and the possible return to normality.
The European Commission has published a recommendation in this regard which, in my opinion, is not sufficiently precise in terms of security requirements. In fact, the need for adequate measures to ensure security of collected data is recalled:
- (p.6) «effective cybersecurity and data security measures are essential to protect the availability, authenticity integrity and confidentiality of data»;
- (p.10) «effective cybersecurity requirements to protect the availability, authenticity, integrity and confidentiality of data»;
What's the point? The point is that tracing contacts through apps installed on the smartphone, to ensure precision and privacy, must be based on decentralized solutions where smartphones exchange properly anonymized data which are locally stored.
However, the use of this decentralized approach requires, for its implementation in the current health emergency, to use the only mechanisms to carry out these local communications that are currently installed on almost all smartphones: WiFi and Bluetooth.
Which are the problems? We have been using WiFi for many years now in the "infrastructure" mode to connect us to a local "hot spot": the security of this mode has been extensively tested and appears technologically robust as long as, like any other technological solution, it is not hampered by human shortcomings such as using a weak password to protect access. The "ad hoc" mode, which should instead be used for the interaction of two neighbouring smartphones, has been used - and therefore verified with respect to security - to a largely lower degree. It therefore does not seem to offer, in practice, significantly higher guarantees than Bluetooth's with respect to robustness towards attacks.
Bluetooth is highly vulnerable, as it has long been known. Its use in "local" systems such as the home and the car is tolerable (even if it still poses security challenges) because it is a signal that in smartphones (especially when used in the Low Energy, BLE version) after a few meters has practically disappeared, unlike WiFi. In fact, it consumes much less battery. [Thanks to Francesco Palmieri for an illuminating discussion on these issues.]
Contact tracing using Bluetooth requires citizens to go around with Bluetooth constantly available to communicate: in my opinion this is the equivalent of asking them not to lock their home's door because a doctor is arriving for a medical examination. In the real world, this would amount to exposing the homes of all citizens to a high risk of intrusion. The same would happen in the digital world, with the difference that what happens here is outside our senses' perception. Everyone's devices would be subjected to scanning by the "bad guys" who currently do not need to be professional hackers, since toolboxes for unhinging "digital houses" are available at affordable prices.
Once "bad guys" are inside, the problem would no longer regard contact tracing data but having a hostile intruder within what is now closely integrated into our existence, the smartphone, the custodian of all our secrets, personal and professional.
I have not seen an analysis of these aspects in the ongoing discussions regarding the use of contact tracing apps. They assume digital solutions are still useful. But as observed by the Italian Data Protection Authority in the hearing of 8 April at the Chamber of Deputies regarding contact tracing apps: «Firstly, in assessing the expected effectiveness of a measure one should not fail to consider those supplementary measures, that is to say, the measures envisaged for the reasonably subsequent stage when the individuals identified via data tracing as potentially infected will have to undergo medical tests.
Indeed, one may well collect all possible information on potential virus carriers (whether in good health or not), but if there are not enough resources (or reagents) to establish whether those carriers do test positive to the virus, then one will not go very far.» (Bold is mine).
It would therefore be desirable that these security aspects related to Bluetooth (or any other technology on which the solutions are to be based) are explicitly analyzed in the evaluation of opportunities on the use of a digital contact tracking system. The same Italian Data Protection Authority observed that is «difficult to impose a general obligation for everyone to use those devices» and therefore «relying on approaches that are based on the voluntary acceptance of the individuals allowing their locations to be traced» is advisable. They added that «the effectiveness of this solution for diagnostic purposes is related to the support received from citizens» and that «it is estimated that at least 60% of the population should give their consent in order to achieve effectiveness» (bold is mine). For Italy (but in general, I think, for each European country) «raising adequate awareness of the advisability of this approach» will therefore be necessary.
It seems clear to me that in the presence of the security problems I have discussed above it will be difficult to convince many people.
Many international associations have in the past few weeks taken stance underlining the importance of carrying out an accurate overall cost/benefits evaluation of the adoption of digital solutions for the management of this health emergency. Here is a non-exahustive list:
- Electronic Frontier Foundation
- European Digital Rights
- Algorithm Watch
- Informatics Europe
- Computer Chaos Club
- American Civil Liberties Union
I really hope that democratic governments realize that asking their citizens to choose between privacy and health, as Yuval Noah Harai wrote, is an ill-posed question.
Nessun commento:
Posta un commento
Sono pubblicati solo i commenti che rispettano le norme di legge, le regole della buona educazione e sono attinenti agli argomenti trattati: siamo aperti alla discussione, non alla polemica.