kottke.org posts about Bruce Schneier
Nicky Case, working with security & privacy researcher Carmela Troncoso and epidemiologist Marcel SalathΓ©, came up with this fantastic explanation of how we can use apps to automatically do contact tracing for Covid-19 infections while protecting people’s privacy. The second panel succinctly explains why contact tracing (in conjunction with quick, ubiquitous testing) can have such a huge benefit in a case like this:
A problem with COVID-19: You’re contagious ~2 days before you know you’re infected. But it takes ~3 days to become contagious, so if we quarantine folks exposed to you the day you know you were infected… We stop the spread, by staying one step ahead!
It’s based on a proposal called Decentralized Privacy-Preserving Proximity Tracing developed by Troncoso, SalathΓ©, and a host of others. Thanks to Case for putting this comic in the public domain so that anyone can publish it.
Update: About two hours after posting this, Apple and Google announced they are jointly working on contact tracing technology that uses Bluetooth and makes “user privacy and security central to the design”.
A number of leading public health authorities, universities, and NGOs around the world have been doing important work to develop opt-in contact tracing technology. To further this cause, Apple and Google will be launching a comprehensive solution that includes application programming interfaces (APIs) and operating system-level technology to assist in enabling contact tracing. Given the urgent need, the plan is to implement this solution in two steps while maintaining strong protections around user privacy.
Update: Based on information published by Google and Apple on their contact tracing protocols, it appears as though their system works pretty much like the one outlined about in the comic and this proposal.
Also, here is an important reminder that the problem of what to do about Covid-19 is not primarily a technological one and that turning it into one is troublesome.
We think it is necessary and overdue to rethink the way technology gets designed and implemented, because contact tracing apps, if implemented, will be scripting the way we will live our lives and not just for a short period. They will be laying out normative conditions for reality, and will contribute to the decisions of who gets to have freedom of choice and freedom to decide … or not. Contact tracing apps will co-define who gets to live and have a life, and the possibilities for perceiving the world itself.
Update: Security expert Bruce Schneier has some brief thoughts on “anonymous” contact tracing as well as some links to other critiques, including Ross Anderson’s:
But contact tracing in the real world is not quite as many of the academic and industry proposals assume.
First, it isn’t anonymous. Covid-19 is a notifiable disease so a doctor who diagnoses you must inform the public health authorities, and if they have the bandwidth they call you and ask who you’ve been in contact with. They then call your contacts in turn. It’s not about consent or anonymity, so much as being persuasive and having a good bedside manner.
I’m relaxed about doing all this under emergency public-health powers, since this will make it harder for intrusive systems to persist after the pandemic than if they have some privacy theater that can be used to argue that the whizzy new medi-panopticon is legal enough to be kept running.
And I had thoughts similar to Anderson’s about the potential for abuse:
Fifth, although the cryptographers β and now Google and Apple β are discussing more anonymous variants of the Singapore app, that’s not the problem. Anyone who’s worked on abuse will instantly realise that a voluntary app operated by anonymous actors is wide open to trolling. The performance art people will tie a phone to a dog and let it run around the park; the Russians will use the app to run service-denial attacks and spread panic; and little Johnny will self-report symptoms to get the whole school sent home.
The tie-a-phone-to-a-dog thing reminds me a lot of the wagon full of smartphones creating traffic jams. (via @circa1977)
Edward Snowden’s leak of NSA documents keeps paying dividends. The latest report (in the Guardian, the NY Times, and Pro Publica) alleges that the NSA has cracked or circumvented many of the internet security protocols designed to keep communications private from third parties. From the Pro Publica piece:
The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.
The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.
Many users assume β or have been assured by Internet companies β that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.
Cryptographer Matthew Green speculates on exactly how the NSA might have achieved these results and what the implications are.
Probably the biggest concern in all this is the evidence of collaboration between the NSA and unspecified ‘telecom providers’. We already know that the major US (and international) telecom carriers routinely assist the NSA in collecting data from fiber-optic cables. But all this data is no good if it’s encrypted.
While software compromises and weak standards can help the NSA deal with some of this, by far the easiest way to access encrypted data is to simply ask for β or steal β the keys. This goes for something as simple as cellular encryption (protected by a single key database at each carrier) all the way to SSL/TLS which is (most commonly) protected with a few relatively short RSA keys.
If you’re concerned about the privacy of your communications, security expert Bruce Schneier has some suggestions for keeping secure.
1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it’s work for them. The less obvious you are, the safer you are.
2) Encrypt your communications. Use TLS. Use IPsec. Again, while it’s true that the NSA targets encrypted connections β and it may have explicit exploits against these protocols β you’re much better protected than if you communicate in the clear.
Charles Mann visits the airport with security expert Bruce Schneier and a fake boarding pass. What he finds is a lot of security theater and not much security.
“The only useful airport security measures since 9/11,” he says, “were locking and reinforcing the cockpit doors, so terrorists can’t break in, positive baggage matching” β ensuring that people can’t put luggage on planes, and then not board them β “and teaching the passengers to fight back. The rest is security theater.”
(via df)
I don’t know if this is sadly hilarious or hilariously sad. Jeffrey Goldberg took all sorts of crazy stuff through airport security β “al-Qaeda T-shirts, Islamic Jihad flags, Hezbollah videotapes, inflatable Yasir Arafat dolls (really), pocketknives, matches from hotels in Beirut and Peshawar, dust masks, lengths of rope, cigarette lighters, nail clippers, eight-ounce tubes of toothpaste (in my front pocket), bottles of Fiji Water (which is foreign), and, of course, box cutters” β and almost nothing was ever taken away from him or was a source of concern for airport security personnel.
We took our shoes off and placed our laptops in bins. Schneier took from his bag a 12-ounce container labeled “saline solution.”
“It’s allowed,” he said. Medical supplies, such as saline solution for contact-lens cleaning, don’t fall under the TSA’s three-ounce rule.
“What’s allowed?” I asked. “Saline solution, or bottles labeled saline solution?”
“Bottles labeled saline solution. They won’t check what’s in it, trust me.”
They did not check. As we gathered our belongings, Schneier held up the bottle and said to the nearest security officer, “This is okay, right?” “Yep,” the officer said. “Just have to put it in the tray.”
“Maybe if you lit it on fire, he’d pay attention,” I said, risking arrest for making a joke at airport security. (Later, Schneier would carry two bottles labeled saline solution-24 ounces in total-through security. An officer asked him why he needed two bottles. “Two eyes,” he said. He was allowed to keep the bottles.)
So hard to pick just one excerpt from this one…it’s full of ridiculousness. I don’t care how many blogs the TSA launches, this is a farce. (thx, anthony)
Bruce Schneier on the Portrait of the Modern Terrorist as an Idiot. “Terrorism is a real threat, and one that needs to be addressed by appropriate means. But allowing ourselves to be terrorized by wannabe terrorists and unrealistic plots β and worse, allowing our essential freedoms to be lost by using them as an excuse β is wrong.”
Did President Bush get his watch stolen in Albania while shaking hands with people in the crowd? Bruce Schneier: “At 0.50 minutes into the clip, Bush has a watch. At 1.04 minutes into the clip, he had a watch.”
Update: Tony Snow is saying that Bush put the watch in his pocket. (thx, hal)
The inept security theater at the airport. “For theater on a grand scale, you can’t do better than the audience-participation dramas performed at airports, under the direction of the Transportation Security Administration.”
Even though the most popular password on MySpace is “password1” (the 5th most popular password is “blink182”), most users’ passwords are pretty good…and better than corporate employees’ passwords.
Bruce Schneier: “It’s time we calm down and fight terror with antiterror. Our job is to think critically and rationally, and to ignore the cacophony of other interests trying to use terrorism to advance political careers or increase a television show’s viewership.”
Q. Is it possible to use a wireless Internet connection on a plane?
A. Yes, if you happen to be flying on an airline that offers the service. International carriers like Korean Air, Lufthansa and Singapore Airlines already have wireless broadband service on many routes; fees for using it vary. Check with your airline to see if it offers in-flight Internet.
So says the NY Times. While it may not be possible to use wireless Internet connections on the plane, it is possible to use wireless connections. Apple laptops can create networks which other computers with wireless capability can join. Bluetooth capable devices like laptops and cellphones can communicate with each other over smaller distances.
Since 9/11, I’ve often thought that this would be an effective way for a group of people to coordinate some nefarious action on a plane without attracting any attention. Five or six people scattered about the plane on laptops, iChatting plans to one another, wouldn’t be unusual at all. Of course, a properly trained group wouldn’t need to communicate with each other at all after boarding the plane. Nor, says Bruce Schneier, should we ban things like cellphones and Internet access on airplanes for security reasons.
Bruce Schneier on the sorry state of airport security. “Exactly two things have made airline travel safer since 9/11: reinforcement of cockpit doors, and passengers who now know that they may have to fight back. Everything else…is security theater.”
Bruce Schneier on how to mitigate identity theft. “If we’re ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.”
Stay Connected