In this guest post, fintech and digital finance specialists Mondato assess the impact and long term effect of the COVID-19 pandemic on privacy and personal data globally.

As financial services have gone digital over the years, each step forward has required three things: affordability, access, and trust. Of these, trust is perhaps the least well-understood; how do users know when to trust an app to handle their money, pay their bills, or steward their personal data? Trust in digital services is intensely personal, but it’s also acutely attuned to its particular cultural and political context.

What engenders trust in the citizens of a given part of the world is not necessarily effective elsewhere, and institutions play by different rules depending on their role in a given society. For this reason, the ramifications of the COVID-19 crisis on data and privacy are unfolding in divergent ways at the regional level, with long-standing attitudes toward authority underpinning the various strategies emerging across the world.

Prior to the COVID-19 pandemic, countries could be broadly classified into three types with respect to who was ultimately trusted with user data. In collectivist Asia, for example, it was government; in capitalist America, it was the private sector; and in the European Union, the newly implemented General Data Protections Regulation (GDPR), which standardized data privacy law across the EU, sought to return control of data from companies back to users themselves.

But now, all over the world, social responsibility is balanced against individual liberties as a global pandemic renders fellow citizens the potential threat.

In the past, privacy law was about your rights as a citizen vs the government. Then, 20 years ago, we started thinking about your rights with your employer and companies you deal with. Now, not necessarily for the first time, it is integrating those three things — you in relation to companies, the government, and people.”
Kirk Nahra, U.S. privacy and data security lawyer

Emergency measures implemented during the crisis have waived certain privacy laws and created massive surveillance programs. But the data measures put in place (though extraordinary in their implementation and novel in many senses) are in fact continuations of pervading attitudes, pre-existing industry practices, and, in autocratic countries, deepening social control. The data collection operations underway to combat COVID-19 are arguably not transformative, but rather serve as a defining example of life in the digital age.

Contact Tracing: The New O2O

The sudden demand for mass surveillance comes at a fraught moment in the privacy debate. To justify mass data collection practices, adtech firms champion aggregation and anonymization practices that claim to protect the identities of individuals while gathering sufficient data to create sophisticated consumer portfolios. Critics, however, question the claim that any data set of user information can be both precise and anonymous. Without sufficient safeguards, anonymized data can be de-anonymized by matching it with other data sets in order to identify individuals. In December, The New York Times opinion section published a series on location tracking in which it reviewed anonymized metadata from one of dozens of location data companies in the United States. They found, as one expert explained, that “really precise, longitudinal geolocation information is absolutely impossible to anonymize.” With the help of publicly available information, like home addresses, the Times was able to identify and track the movements of notable figures using supposedly anonymized data. Telcos have been selling such location data to third party data brokers for years. Although aggregated results are more easily anonymized, there remains the issue of who possesses the original data set, which can be hacked or abused.

Despite growing concerns surrounding the ability to keep such data anonymized, anonymization is a key component to nearly all data collecting measures employed against COVID-19’s spread. The CDC and governments in the U.S. are receiving metadata from the mobile advertising industry to better map out the movement of people during the crisis. In the UK, tech firms are processing large volumes of confidential UK patient information and creating outbreak models from it. As long as daily new infections and deaths keep climbing, and every citizen is deemed both suspect and potential victim, maintaining data anonymity may prove a secondary concern.

Apps Of All Stripes

As countries seek to end lockdowns and slowly reopen their economies, the most prevalent use of digital data will be contact tracing apps. According to digital rights group Top10VPN, there are now 43 contact tracing apps available around the world to monitor and stop the spread of COVID-19, with more in the pipeline. How regimes reconcile the tension between individual privacy and public exposure is what differentiates these respective apps from each other, and approaches to contact tracing diverge along several dimensions:

Which data will be collected?

GPS tracking can help governments form maps of citizens’ movements to better understand the effectiveness of confinement measures (and in certain cases, to better enforce them). GPS is indeed an appropriate tool for understanding social movement on a macro level. But when it comes to contact tracing, GPS is an imperfect oculus; in theory, GPS can be accurate within one meter, but more typically 5 to 20 meters — obviously an unsuitable range to determine whether someone has been within two meters of an infected person.

Generally, GPS is regarded as a more invasive, less effective approach, but it’s used by 64% of extant contact tracing apps as reported by Top10VPN. Israel, for example, has employed a GPS tracking system that surveils all citizens, pinging cellphones, cross-referencing data, and alerting them if they have been potentially exposed to someone with COVID-19. The use of such imprecise information has predictably led to cases in which individuals are erroneously forced to quarantine despite maintaining proper social distancing.

While GPS measures location, Bluetooth simply measures proximity between devices, which improves precision and protects privacy. Perhaps to protect user privacy, Apple and Google are using Bluetooth for their upcoming tracking app. In this app, each device is granted an anonymous key that cycles every 15 minutes to preserve privacy. The signals of nearby phones are picked up at 5-minute intervals, and connections between devices are stored in a database. Once a person has been infected, the app will only share keys from the specific period in which they were infected.

Bluetooth technology still faces considerable, however; currently, the app and Bluetooth must be kept on at all times, and it can’t tell if a wall or barrier stands between people. Most crucially, such technology requires a critical mass of the population to voluntarily download and use the app at all times to be effective. An Oxford study suggested that at least 60% of the population would need to use such an app to effectively track and control the virus. Singapore had been lauded for its Bluetooth-enabled TraceTogether app, used in tandem with its manual tracing regime and high testing rates to control the disease. However, even with high smartphone penetration, a small, cooperative populace and centralized authority, only about one in five Singapore residents had downloaded the app. In recent weeks, infections started to spike after an outbreak among migrant workers — rendering such tracing efforts pointless, as it would be nearly impossible to keep up with community spread.

Where is data stored?

A centralized database is far easier to manage and sort during a crisis, but it also makes sensitive information prone to hacking or abuse by the collecting body. Of the 27 contact tracing apps with known database set ups (others have yet to be publicly disclosed), only 8 employ decentralized databases, whereas 19 have centralized databases — many of which are government-run.

In the case of the Apple/Google app, it is the mobile devices themselves which perform the cryptographic calculations; central servers only maintain the database of shared keys, rather than the interactions between said keys. The drawback to this privacy-conscious model is the lack of information it provides to epidemiologists. Only by linking different sightings of a device with different users would authorities be able to use it effectively on a society-wide scale — which would compromise privacy.

What to do with the information?

According to Top10VPN, 28% of contact tracing apps so far have no privacy policy enumerated, meaning that there have been no clear boundaries set for how the stored data could actually be used. While it’s too early to know what risks are associated with this data, in the most egregious case to date, Iran launched an app that claimed to diagnose coronavirus through a series of yes-or-no questions. But rather than offering a proper diagnosis, the app enabled the Iranian regime to gather large swaths of citizen data and track their movements in real time.

Collectivism, Culture, Virus, Virtue

In Asia, laws and social norms alike leave a grey area for the use of data. South Korea, for instance, actually had a digital contact tracing regime prepared before COVID-19. After the 2015 MERS outbreak, South Korea passed regulations which required districts to publish information pertaining to infected people, including: travel routes; which public transit they took; which hospitals treated them; whether they wore masks; and even their age and gender. South Koreans are routinely informed if there has been an infected case within 100 meters of their location. Such detailed mapping, combined with extensive manual contact tracing efforts and high levels of testing, have helped South Korea prevent full-blown community outbreaks. As The New Yorker described recently, despite the invasion of privacy inherent in such a process, the South Korean citizenry decided after the 2015 MERS outbreak that radically transparent “virtuous surveillance” was the best option. The South Korean surveillance apparatus also makes use of credit-card payment information, travel and medical records, and health information to track the travel history of every resident.

Elsewhere in Asia, anti-COVID measures have sometimes ignored individual liberties for the social good. Hong Kong gives a wristband to anyone entering the country that they must calibrate with the country’s StayHomeSafe app, geofencing quarantined residents. Taiwan has utilized what it calls an “electronic fence” which tracks mobile phone data and alerts authorities if someone who is quarantined leaves their home. Some parts of India are stamping the hands of airport arrivees and monitoring reservation data from airlines and trains to ensure that those people don’t travel.

Not surprisingly, China was the first to employ digital tracking to battle COVID-19, and it also employed some of the most invasive measures in their design. Software installed in citizens’ phones tracks their movements and classifies individuals with a color code indicating their contagion risk, even regulating their ability to enter public spaces. The government has avoided disclosing exactly what information determines the individual health status for over 1 billion citizens, but reports have suggested that digital payment data from AliPay and WeChat Pay were used by authorities to ascertain if someone was buying fever medicine, for example. Though unsurprising, this would certainly signify a creep in the Chinese surveillance apparatus. Reportedly, Alibaba and Tencent — with speculated ties to the Chinese government — have resisted efforts by authorities to obtain consumer data during the pandemic, but this may be due to a view that privacy protections are vital for a future expansion into Western markets. If surveillance entreaties by Chinese authorities ultimately prove successful, there is precedent in events like the Beijing Olympics and Tibetan protests that “emergency” surveillance measures could become permanent.

Democracy, Data, Pandemic, Privacy

In the U.S., on the other hand, authorities are collecting data from the advertising industry to get an idea of where people are gathering. The U.S. relief bill also included $500 million for the CDC to build a “surveillance and data collection system” using advertising metadata. The ad companies, which are sometimes criticized for their lack of transparency, are not actually changing any of their collection practices in response to the crisis — rather, their existing operations are being further legitimized by the U.S. government. And this isn’t particular to the U.S.; companies with dubious records such as U.S. big data firm Palantir, Israeli spyware maker NSO and Italian surveillance company Cy4gate are offering their services to countries across the world. But the fact remains that this emergency comes at a critical time for data privacy in the U.S., where a national data privacy law limiting the actions of private companies is conspicuously absent.

Through the GDPR, the European Union has reined in data collection endeavors, but COVID-19 comes just after the new regulations have begun to take root. The GDPR, the EU’s sweeping new data privacy law implemented in 2018, says companies can collect personal data only for a specific reason, and must obtain individuals’ consent for how it will be used, prohibiting “coerced” or “hidden” consent practices common in other regions. Telcos are still collecting metadata, but it has to be properly anonymized or deleted.

(Proposed contact tracing app, Germany and U.K.)

In the COVID context, the GDPR contains emergency provisions which allow flexibility on responsible data collection during an outbreak. Although all member countries are bound to GDPR regulations, several states have taken somewhat divergent views on observing its guidelines. With the exception of Poland’s digitally monitored enforcement of quarantines, invasive measures have so far been relatively minor, with explicit expiration dates for collection efforts (though it is still early in the pandemic for countries like Hungary, where Prime Minister Orban can now rule by emergency decree during the crisis).

The EU must now reconcile its focus on personal control of user data with the public health demands of the crisis. As the EU’s data protection watchdog calls for a single coronavirus app, the European Commission has leaned on telcos to provide fuzzy metadata for coronavirus modelling, akin to the United States.

While the EU’s privacy regime is bending (though not yet breaking), the privacy-conscious citizenry of Europe will make it even more difficult to approach the critical mass needed for such tracing apps to be effective. In Austria, the Bluetooth-enabled app is voluntary, can be deleted, and no central database exists. Though privacy experts have expressed approval of the app’s design, the country’s wary citizenry have been slow to adopt the app nonetheless. Will the GDPR’s privacy regime be diminished or fractured to strengthen digital tracking measures, or does it endure at the cost of foregone contact tracing opportunities, and potentially a faster recovery?

The Unknown & The Unknowable

There may ultimately be no need for a zero-sum tradeoff between useful data collection and effective data protection. Emerging privacy enhancing technologies (PETs) offer a solution to the centralized hoarding of consumer data. PETs use different computational and mathematical approaches to extract data without jeopardizing the privacy and security of this information. One method already in use is “differential privacy”, wherein statistical noise is added to the inputs to prevent the unmasking of information through overlapping data sets; Google is reportedly employing this technique for its coronavirus mobility maps. Another emerging but pertinent method is called “zero-knowledge proofs”. It comprises a series of cryptographic algorithms that can “test” to “verify” that a computational statement is correct, without revealing any data behind it. Blockchain security company Hacera, in partnership with IBM, Oracle, and Microsoft, has already adopted this technique to create a distributed and verifiable data hub, MiPasa, to collect, validate, and leverage COVID-19 data in Honduras, with the possibility of expanding the blockchain-powered app to facilitate segmented shopping schedules for locked-down populations. National health institutions in the U.S., Canada, Europe, and China have contributed to the project.

Such methods are complex, often developmental, and undeniably less useful to information-hungry companies and governments. It is unlikely privacy rights will emerge from this pandemic unaffected. For data-reliant industries like digital financial services (which are increasingly embracing PETs for their own data collection purposes) the ramifications are uncertain. On the one hand, as pressures mount on Chinese companies like Tencent to adhere to Western privacy standards even during the crisis, the interconnected nature of digital realms ties each region’s fates a little closer to each other. But without global coordination during the crisis, it is likely that data privacy across regions will increasingly gravitate towards the predilections of their respective political and cultural situations — in most cases to the detriment of privacy for individuals, with lasting risk to the post-COVID world.

In this guest post, Stuart McBride, Head of Threat Intelligence at AdaptiveMobile Security shares their assessment of the recent rash of Covid-19-themed SMS spam campaigns, and offer practical steps for how consumers can spot such scams.

Many Governments across the English-speaking world are announcing various reliefs and benefits to individuals and businesses financially affected by the Covid-19 pandemic.  Such programmes are an attractive new vector for scammers.

AdaptiveMobile Security’s Threat Intelligence analysts have observed similar SMS Spam being sent to subscribers in the US, Canada and the UK.

As an illustrative example, on March 18th, Canada announced it would be making one-time special payments by May 2020 for qualifying individuals.  This week, we have observed messages like the example below being sent to some Canadian mobile phone subscribers:

To an ordinary recipient, growing accustomed to unexpected announcements, this may seem like a genuine public service message in extraordinary times.

The message isn’t entirely implausible.  It’s fairly clearly laid out, and other than the incongruous French abbreviation of “Gouvernment,” is spelled correctly and signed as if from the real Canada Revenue Agency.

Let’s see what happens to the unsuspecting subscriber who clicks the link.

The first thing the subscriber will see on their handset is an authentic-looking website with the real Government of Canada logo, and in both official languages:

Choosing English, the subscriber is now asked for their name and social security number.  The subscriber may enter their real details at this point, but regardless of the input, another convincing “Searching…” message is animated for a few seconds, before presenting the good news.  The subscriber is eligible for a random amount of Canadian dollars:

Proceeding with the application, we now reach the key and indeed only intention of the scam – to steal the subscriber’s credit/debit card details.  The subscriber is invited to choose their bank from a list of real Canadian banks.  Choosing BMO (Bank of Montreal) leads to a login page with genuine logos and convincing looking links to register, change language and reset password:

In fact, as an entirely fake mock-up of BMO’s login page, the site has no way to authenticate the login, and will accept any correctly formatted card number and password.

The follow-up page asks for the remaining card details and even the security questions and answers – providing the attacker with enough information to potentially hijack the subscriber’s bank account.

Assuming the subscriber entered their details correctly, they can now expect unauthorised purchases, payments or transactions on their account.

Spotting a scam

How could a regular subscriber have avoided falling victim to this SMS Spam?

1. The message

From the initial message, there were some tell-tale signs that this a scam.  First of all, there’s the awkward language in the initial line of the message, with an unnecessary capitalization, and the French spelling of “Gouv.”  However, this might not be immediately obvious to a non-native speaker of English.

The next and bigger red flag is the link offered.  All Canadian government websites use the top-level domain for Canada, “.ca”, for example https://www.canada.ca/ and https://www.gc.ca.  As anyone in the world can register any .com domain name, the random format of the web address should give pause to an astute subscriber.

2. The website

It would be unusual, if not entirely impossible, that in 2020 an official website would be unencrypted.  The “Not Secure” warning in the phone’s web browser should be an immediate red flag.  If any doubt still remains whether this site is a scam, it should be removed on seeing the online banking login page.

Under no circumstances will an online banking login ever show (1) a “Not Secure” message in the browser or (2) a domain name in the address bar that does not belong to the bank.

The virus might have exposed the vulnerability of the human, however, the reactions from people worldwide have also showed resilience, ingenuity and astuteness. Below we share learnings and actions from MEF members that have worked in supporting businesses and consumers as well as innovations and new solutions for fighting back against the virus.

Additionally, we have noted that our global messaging traffic has shown considerable elevations above normal levels since the middle of March – both for P2P and A2P. Consequently, we put our messaging operations on high alert to make sure our networks are operating at their peak efficiency and that our business customers are using high-quality routes.

We, as SAP Digital Interconnect, recognize that now more than ever businesses need to connect with their customer. Social distancing means physical distancing and therefore requires even more virtual touch points. SAP Digital Interconnect with our CPaaS portfolio of channels and solutions continue to intelligently interconnect everyone, everything, everywhere.

Boloro is compatible with all mobile phones, including smartphones and feature phones, and easily deployed via APIs for local hosting and / or cloud-based hosting. Use cases include: online banking, digital payments and eCommerce, as well as the avoidance of touching public Point of Sale machines, ATM keypads, finger scanners and other public devices by putting all activities safely and securely on the personal mobile handset.

Looking forward, we anticipate the potential for further abuse as fraudsters and scammers take advantage of governmental financial aid and deferred tax filings notifications in order to construct new campaigns to exploit the vulnerable and worried population.”