2nd July 2020

Privacy protection must be at forefront of security design

As much data is collected for contact tracing in the current pandemic, the importance of having robust cyber security to protect the huge chunk of information from prying eyes becomes critical. In fact, in this third instalment, we advocate putting privacy protection at the core of any system security design as we see more fusion of physical and cyber security in an uncertain world.

Go to a shopping mall today, the first thing you are likely to be greeted by is a QR code to register your identity. Your temperature is then taken to ensure you are well prior to entry.

This new normal is likely to persist for a while till after a vaccine for COVID-19 is developed.

What is also interesting is the technology that has enabled this. These physical checks that are aimed at curbing the spread of the coronavirus are connected digitally so that they allow for easy contact tracing.

The identities of those visiting the mall can be quickly called up later if there are suspected cases or a new cluster of infected persons.

This fusion of both physical and cyber security technologies is not new. However, the scale on which they have been deployed today is unheard of.

Security by design

The sheer amount of personal data collected requires care. This data is crucial to the entire operation of contact tracing, and it is just as important to have robust security policies in place to keep that gold mine of information from prying eyes.

At the core of each data collection effort should be security and privacy. Both go hand in hand and they cannot be afterthought that is supplementary to the main development. From ground up, there has be considerations on data access management.

There are also critical questions to be asked. What kinds of data will be collected? How long will it be stored? What will it be used for? Who can access that data? How will the data be protected?

These are issues that many citizens are concerned with, even as they cooperate with government authorities to contain the spread of the coronavirus. They are rightly concerned with the data that is collected whenever they step into a mall or a restaurant, for example.

Here, the Singapore experience is an interesting one. The government is going a step further than many other countries by issuing a contact-tracing dongle, which tracks the close contacts that a person has had.

The authorities have gone to great lengths to explain that the TraceTogether wearable device does not have any GPS or mobile data capabilities, so it does not track a user’s whereabouts. Instead, it only records the contacts detected via Bluetooth proximity data.

This data is stored on the device and only accessed by the authorities if a person is diagnosed with the coronavirus. The data is encrypted and deleted after 25 days.

A separate contact tracing application, called Safe Entry and used to record a person’s entry into malls, restaurants and other places, keeps data for only 25 days as well. This data is collected and managed by the authorities, not private parties.

Protecting digital identity

Trust is an important element in this new normal. Without it, the technology alone cannot do its job to help contact trace and prevent the spread of the deadly coronavirus.

Today’s best face recognition technology can detect a person’s identity even if he is wearing a mask. NEC’s Thermal Screening Solutions, for example, recognises faces even as it detects high body temperature. All this is done in a contactless manner, reducing the risk of infection.

The solution can capture and store up to 10,000 faces for contact tracing. A more advanced version of the technology can detect up to five persons concurrently, making it ideal for venues with larger capacities.

For such technologies to be useful, however, citizens have to trust that their data is being protected. In particular, with their digital identity being tied to the places they visit, they will want to make sure that the data records are only used for combatting the pandemic.

How can a trusted party - usually a government - protect this personal data and how can technology innovations, such as biometrics, make it more seamless for people to participate in safety measures? That will be a core challenge in this uncertain period.

Robust defenses

An important issue is how well people will accept this increase in personal data collection. This could vary from country to country.

What is undisrupted, however, is the need to make cyber defenses more robust than before to protect this data. Along with the larger “attack surface” comes higher risk that this data could be stolen. This risk must be mitigated by adequate measures.

The good news is that many governments and businesses have taken steps to better safeguard the information collected. The awareness is certainly higher today, as shown in Singapore’s example.

What many governments and businesses also realise today is the need to have security built from ground up. In other words, security has to be by design, from the time a solution is built. For example, a biometrics solution or a telecom equipment setup has to have safeguards that are part of the core feature set.
To be sure, there is no foolproof way to keep out fast-evolving security threats. In the real world, security is often a cat-and-mouse game, where the good guys have to keep up with the latest challenges.

As the physical and digital worlds merge, it is crucial that organisations keep up with converged security solutions that work seamlessly across both realms. This is going to be a key mission in today’s new normal.

Images from Pixabay and Pexels.