If A College Is Going To Make COVID-19 Contact Tracing Apps Mandatory, They Should At Least Be Secure
Furnished content.
One of the more frustrating aspects of the ongoing COVID-19 pandemic has been the frankly haphazard manner in which too many folks are tossing around ideas for bringing it all under control without fully thinking things through. I'm as guilty of this as anyone, desperate as I am for life to return to normal. "Give me the option to get a vaccine candidate even though it's in phase 3 trials," I have found myself saying more than once, each time immediately realizing how stupid and selfish it would be to not let the scientific community do its work and do it right. Challenge trials, some people say, should be considered. There's a reason we don't do that, actually.And contact tracing. While contact tracing can be a key part of siloing the spread of a virus as infectious as COVID-19, how we contact trace is immensely important. Like many problems we encounter these days, there is this sense that we should just throw technology at the problem. We can contract trace through our connected phones, after all. Except there are privacy concerns. We can use dedicated apps on our phones for this as well, except this is all happening so fast that it's a damn-near certainty that there are going to be mistakes made in those apps.This is what Albion College in Michigan found out recently. Albion told students two weeks prior to on-campus classes resuming that they would be required to use Aura, a contact tracing app. The app collects a ton of real-time and personal data on students in order to pull off the tracing.Aura, however, goes all in on real-time location-tracking instead, as TechCrunch reports. The app collects students' names, location, and COVID-19 status, then generates a QR code containing that information. The code either comes up "certified" if the data indicates a student has tested negative, or "denied" if the student has a positive test or no test data. In addition to tracking students' COVID-19 status, the app will also lock a student's ID card and revoke access to campus buildings if it detects that a student has left campus "without permission."TechCrunch used a network analysis tool to discover that the code was not generated on a device but rather on a hidden Aura website—and that TechCrunch could then easily change the account number in the URL to generate new QR codes for other accounts and receive access to other individuals' personal data. It gets worse. One Albion student was able to discover that the app's source code also included security keys for Albion's servers. Using those, other researchers into the app found that they could gain access to all kinds of data from the app's users, including test results and personal identifying information.Now, Aura's developers fixed these security flaws...after the researchers brought them to light and after the school had made the use of the app mandatory. If anyone would like to place a bet that these are the only two privacy and security flaws in this app, then they must certainly not like having money very much.To be clear, plenty of other schools are trying to figure out how to use technology to contact trace as well. And there's probably a use for technology in all of this, with an acceptable level of risk versus the benefit of bringing this awful pandemic under control.But going off half-cocked isn't going to help. In fact, it's only going to make the public less trustful of contact tracing attempts in the future, which is the last thing we need.
Read more here
posted at: 12:00am on 01-Sep-2020
path: /Policy | permalink | edit (requires password)
Appeals Court Says Not Allowing Federal Officers To Pepper Spray Journalists Makes Law Enforcement Too Difficult
Furnished content.
The Ninth Circuit Appeals Court has just stripped away the protections granted to journalists and legal observers covering ongoing protests in Portland, Oregon. After journalists secured an agreement from local police to stop assaulting journalists and make them exempt from dispersal orders, the DHS's ad hoc riot control force (composed of CBP, ICE, and Federal Protective Services) showed up and started tossing people into unmarked vans and assaulting pretty much everyone, no matter what credentials they displayed. Shortly after that, a federal court in Oregon granted a restraining order forbidding federal agents from attacking journalists and observers.Not that granting the restraining order did much to prevent federal officers from beating journalists with batons, spraying them with pepper spray, or making sure they weren't left out of any tear gassings. The plaintiffs were soon back in court seeking sanctions against federal violators of the order. The DHS said it couldn't identify any of the officers and stated it had punished no one for violating the order. This prompted the judge to add more stipulations to the order, including the wearing of identification numbers by officers engaging in riot control.Unfortunately for journalists and legal observers, the restraining order is no longer in place. It was rolled back by the Appeals Court in a very short order [PDF] with the court finding that a blanket order protecting journalists and observers from being assaulted makes things too tough for federal cops. (via Courthouse News)Based on our preliminary review, appellants have made a strong showing of likely success on the merits that the district court’s injunction exempting “Journalists” and “Legal Observers” from generally applicable dispersal orders is without adequate legal basis. Given the order’s breadth and lack of clarity, particularly in its non-exclusive indicia of who qualifies as “Journalists” and “Legal Observers,” appellants have also demonstrated that, in the absence of a stay, the order will cause irreparable harm to law enforcement efforts and personnel. DHS personnel will still have to comply with the stipulation of the now dead restraining order requiring them to ID themselves:This order does not disturb the portion of the district court’s August 20, 2020 order directing the parties to confer regarding identifying markings… The equally short dissent disagrees. The restraining order has been in place for more than a month at this point and the federal task force hasn't found itself unable to engage in crowd control and riot suppression efforts.In light of the deferential review accorded to the district court’s factual finding at this stage, the district court’s extensive factual findings with respect to journalists and legal observers, including the finding that the injunction would not impair law enforcement operations to protect federal property and personnel, and the fact that a temporary restraining order has been in place since July 23, 2020, the government has failed to meet its burden to demonstrate either an emergency or irreparable harm to support an immediate administrative stay. This will be appealed. And it may end up being something the Supreme Court will feel like addressing. There's a question that needs to be answered since the future will contain plenty of protests and plenty of people covering them. This was how the district court judge explained it in an earlier hearing:Simon initially said at a hearing Tuesday that the question of whether journalists have different rights under the First Amendment than those of protesters, who legally must leave an area after a riot has been declared, was likely to end up before the U.S. Supreme Court. But Judge Simon took a pass on that question in his decision -- the one now rejected by the Appeals Court.Someday, a court may need to decide whether the First Amendment protects journalists and authorized legal observers, as distinct from the public generally, from having to comply with an otherwise lawful order to disperse from city streets when journalists and legal observers seek to observe, document, and report the conduct of law enforcement personnel; but today is not that day. With this rejection by the Appeals Court, that "someday" may be much closer than it was a little more than a week ago, when journalists and observers were still shielded from being assaulted by federal officers. The gloves are off now and federal agents are free to treat them like the rest of the crowd when deploying force.
Read more here
posted at: 12:00am on 01-Sep-2020
path: /Policy | permalink | edit (requires password)
|
|