2020 UK Lockdown Cyber Narratives: the Secure, the Insecure and the Worrying
22020 UK Lockdown Cyber Narratives: the Secure, theInsecure and the Worrying
Karen Renaud , Paul van Schaik , Alastair Irons , Sara Wilford Abertay University, Rhodes University Teeside University, Sunderland University, De Montfort [email protected]
ABSTRACT
On the 23rd March 2020, the UK entered a period of lockdownin the face of a deadly pandemic. While some were unable towork from home, many organisations were forced to movetheir activities online. Here, we discuss the technologiesthey used, from a privacy and security perspective. We alsomention the communication failures that have exacerbateduncertainty and anxiety during the crisis.An organisation could be driven to move their activitiesonline by a range of disasters, of which a global pandemicis only one. We seek, in this paper, to highlight the needfor organisations to have contingency plans in place for thiskind of eventuality.The insecure usages and poor communications we high-light are a symptom of a lack of advance pre-pandemic plan-ning. We hope that this paper will help organisations to planmore effectively for the future.
KEYWORDS
Remote Working, Cyber Security, Privacy
ACM Reference Format:
Karen Renaud , Paul van Schaik , Alastair Irons , Sara Wilford .2020. 2020 UK Lockdown Cyber Narratives: the Secure, the Insecureand the Worrying . In Proceedings of . , 10 pages. https://doi.org/10.1145/nnnnnnn.nnnnnnn
The pandemic of 2020 led countries to impose lockdowns,which closed schools, universities and a host of other work-places. This forced organisations to move their activities
Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies are notmade or distributed for profit or commercial advantage and that copies bearthis notice and the full citation on the first page. Copyrights for componentsof this work owned by others than ACM must be honored. Abstracting withcredit is permitted. To copy otherwise, or republish, to post on servers or toredistribute to lists, requires prior specific permission and/or a fee. Requestpermissions from [email protected]. , , © 2020 Association for Computing Machinery.ACM ISBN 978-x-xxxx-xxxx-x/YY/MM...$15.00https://doi.org/10.1145/nnnnnnn.nnnnnnn online, and employees were often left to find the best tech-nologies to carry out their core activities. Many grasped atthe most familiar or popular technologies to satisfy theirneeds. In some cases, the technologies they used, or the waythey used them, exposed them to the actions of hackers, orviolated their privacy. We explore these issues in Section 3.On the other hand, the 2018 GDPR regulation made or-ganisations consider and manage the way they stored per-sonal and sensitive data. The fact that organisations hadgone through this process stood them in good stead whenthe lockdown was imposed. This demonstrates the immensevalue of planning and putting measures in place. We discusssecure measures in Section 2.There were also some worrying developments, in termsof privacy and human rights violations. We discuss these inSection 4.Finally, in Section 5, we present guidelines for measures or-ganisations could implement to prepare for future lockdowns.These will minimise the security and privacy violations thatare occurring during the current lockdown, as revealed byour narratives. Section 6 concludes. Figure 1 provides anoverview of the paper.
Figure 1: Narratives Explored in this Paper
The research methodology used in this paper is desk re-search. In other words, we gathered facts and news reportsthat helped us to construct the emergent security and privacyfocused narrative around the UK’s 2020 pandemic lockdown. a r X i v : . [ c s . C Y ] J un , Karen Renaud , Paul van Schaik , Alastair Irons , Sara Wilford By so doing, we have been able to highlight the need fororganisations to support their employees more effectively sothat they can achieve private and secure at-home working.Bill Gates predicts that pandemics will occur every 20 years[15], and other disasters, such as fires, occur unpredictablyand also send workers home.A lockdown could happen again.We thus build on the research literature to propose guide-lines for working securely and privately at home, as our maincontribution.
As academics, we are in a good position to write about theplans our Universities made before the introduction of GDPRin 2018. Universities across Europe engaged in activities toensure that their employees knew exactly how to securetheir data.Our institutions implemented measures that are likely tobe typical of the industry at large. They published policiesand provided secure storage in some cases. Whatever theirindividual arrangements, this preparation for GDPR meantthey were well prepared for the lockdown, when it came todata storage.A brief review of the authors’ institutions’ policies evi-dences this. One author’s institution has a GDPR policy thatlays down “good practice” principles for storing and manag-ing research data. Guidance is also provided with respect towhere data should be stored (i.e. on University sanctionedstorage drives). Another author’s institution’s informationsecurity policy devotes two pages to explaining how researchdata ought to be secured. A third author’s institution has afive page Data Protection Policy laying out guidelines forsecuring data. A fourth author’s institution publishes an9-page policy to guide data protection activities.One policy specifies that OneDrive be used to store data,but the others do not do this. Two forbid the use of Dropboxfor research data.As well as policies that address GDPR needs, there is alsoa need to consider the security of the architecture that en-ables home working. For example, considering Wifi routers:whether or not these are password-protected and the age ofthe routers is relevant (more recent routers have more in-built security). Moreover, others in the household may haveaccess to the computers used for remote working and theseparation of work and personal technology usage becomeschallenging.In none of the policies we reviewed was video conferenc-ing software mentioned. Nor were any recommendationsmade about protocols for home working or secure softwareto use, nor were there any guidelines for hardware config-urations that would help improve home working security. Finally, there was no mention of the use of VPNs to preserveprivacy.
The move to home working, and the use of online conferenc-ing software, has increased exponentially [41] as society em-braces social distancing and heeds isolation instructions fromthe government. Quarantined employees naturally soughta way to stay in touch with their loved ones, and maintainrelationships with colleagues, whilst also conducting theirwork activities from home.There are a range of tools on that enable colleagues andcollaborators to work together in a virtual “face to face” envi-ronment whilst maintaining social distancing. Many turnedto Google to find the tools they needed. Figures 2 and 3 depictthe spike in searches for video conferencing technologiessince the beginning of the lockdown. As these graphs demon-strate, many found Zoom and looked for more information.
Figure 2: Google Searches for “Video Conferencing”from 10 March 2020 to 10 April 2020Figure 3: Searches for Zoom, Teams and Skype from10 March 2020 to 10 April 2020
The rush to adopt video conferencing technologies ush-ered in a number of interesting and concerning aspects, interms of user behaviour.
Because of the speed in implementing video conferencingtechnologies, very few organisations had the time to put poli-cies or protocols in place regarding remote working practices.This means employees are figuring out their practices for
OVID-19 Technology Concerns , , themselves. They might be well informed, and do so securely,but they might also put themselves and their employers’ de-vices at risk.
One the one hand, there is a need to be included and toensure that users have the appropriate hardware to enablethe software to be utilised. Users may have been given ad-min rights to enable them to install software because theircorporate IT support do not have the capacity to support amultitude of users trying to install software. This may leadto advised checking and testing not being completed. It alsopotentially causes stress when things do not work or userscannot connect to the technology that their peers are using.On the other hand, the need to connect with others canlead to unwise installation of technologies and this maymean that the usual security checks are not in place. Theadoption of workable solutions in the short term could wellobscure underlying problems, for example with user privacy,data and information sharing, and possible unwitting GDPRviolations.Furthermore, once the pandemic period is over, the extentof privacy, security and data protection violations will bediscovered. The subsequent fall-out in terms of managingthe administration of both criminal and civil regulations,could prove to be overwhelming to institutions, regulatorsand individuals, if the use of these emergency tools can beshown to have been used uncritically and without informedconsent or sufficient care for personal data.
This particular tool has become very popular. As its pop-ularity has risen, so have concerns about its security andpotential privacy violating practices [27]. A number of se-curity experts have raised concerns about vulnerabilitieswithin Zoom [36, 72] • Potential privacy violations . Research by Citizen Labfound that cryptographic operations were delivered to partici-pants via servers in China [39, 40]. • “Zoomboming” . This is where trolls take advantage ofopen or unprotected meetings and poor default configura-tions to broadcast porn or other explicit material . In response,Zoom enabled the Waiting Room feature which allows ameeting host to control when a participant joins the meet-ing and enforces passwords. On the 8th April researchersrevealed a security vulnerability in the waiting room [44]. • Security vulnerabilities.
Researchers discovered a flawin Zoom’s Windows application which allowed remote at-tackers to steal victims’ Windows login credentials and executearbitrary commands on their systems. A patch was issued onApril 2, 2020, to address this flaw. Other researchers createda new tool called “zWarDial” that searches for open Zoommeeting IDs, finding around 100 meetings per hour that aren’t protected by any password . There is also evidence that ZoomIDs and passwords are being sold on the dark web [7].As we write, some countries [59] have suspended the useof Zoom by teachers due to abuse by hackers. Zoom has beenparticularly responsive to these criticisms, patching them asquickly as they can [51]. However, as Mudge [51] points out,whilst the Zoom developers should have addressed securityissues in the initial design, 5 years ago, they are trying to “fix”vulnerabilities as the Zoom user community grows. Mudgealso indicates that there is a responsibility on the user toensure security of any application that they are using, in-cluding Zoom. Making sure that routers are robust (and upto date), making sure tools are up to date and ensuring thepatches and updates are put in place as soon as they becomeavailable will all contribute to safer Video Conferencing en-vironments. The Zoom developers will also see this as anopportunity to improve their product.The Zoom scenario seems to be a classic trade off betweenusability and security, highlighted by Cranor and Garfinkel[14]. The rush to ensure that colleagues could stay connected,at very short notice meant that easy to install and use applica-tions, such as Zoom, are being used without people thinkingabout security or even knowing what steps to take to assuresecure usage.
We have discussed Zoom, which has attracted a great dealof attention due to its escalating user numbers. It is likelythat many of the other video conferencing offerings alsohave vulnerabilities which are, even now, being exploited byhackers.Our argument is not Zoom-specific. We are making thepoint that many are using a variety of video conferencingtechnologies with serious vulnerabilities, and they are doingso because they either do not have any alternatives, becausethey feel impelled by the critical mass usage to use them, orbecause they are simply unaware of the vulnerabilities.
School teachers are perhaps most unprepared to move theiractivities online. The bulk of their work is face to face withthe children, in and out of classrooms. Now suddenly theyhave had to find other ways to engage. There is some evi-dence that they are woefully uninformed about privacy [2]and security [58].The advice from Human Rights Watch [46] is to focus onthe most accessible technologies and methods. There is nomention of privacy or security considerations in this article.Yet privacy, too, is a human right (United Nations Declarationof Human Rights (UDHR) 1948, Article 12) and in Europe thenew GDPR regulations have stringent rules requiring thatchildren’s data be kept private [45]. We now provide two , Karen Renaud , Paul van Schaik , Alastair Irons , Sara Wilford examples of teachers maximising accessibility with securityand privacy pitfalls. Gym teachers would like their pupils to provide evidencethat they are doing their exercises. How do they do this whileall their pupils are quarantined?Anonymous [2] posted a comment to a Reddit group, say-ing that a teacher wanted children to post videos to YouTube.The first comment is from a teacher, defending the practice:“
I think the mindset is trying to prevent students from justfaking it by having them show evidence, but an email to theteacher asking for an alternative assignment should work. ”Another teacher explains: “
My district wants me to documenteverything I am doing daily that is focused on my degree. 3 to5 hours a day M-F. How the hell can I come up with 3 to 5 hrsof stuff 5 days a week?! We have to document it and turn in alog sheet every Monday. ”One commenter doesn’t understand what the fuss is about:“
Maybe not social media but why not? Meet them where theyare at and remove barriers. ”Some suggest alternatives: “
I friend of mine made a privateFacebook group for his classes and that’s how they’re going ev-erything .” However, Facebook and privacy are diametricallyopposed [1].Another offered advice: “
YouTube videos can be private -accessed only with a link. If this must happen, that could bean option - then delete the video after the grade is marked. ”The question that has to be asked, in this case, is how thepassword will be communicated to the teacher? If email isused, the YouTube video is not private.Others express more concerns about privacy violations:“
Nothing is truly private on the internet and there are a bunchof bored perverts home with nothing else to do .”The upshot is that children’s privacy is being lost.
Don’t Blame the Teachers
One of the final comments expresses the unreadiness of thisdemographic. “
Teachers are working their asses off to put aplan in motion that hasn’t even been finished yet. The nation,state and district haven’t planned ahead for this, it’s all beingcrafted on the spot and teachers are the ones doing the bruntof the work to make sure your nephew, niece, child, loved oneis still being educated, still given a routine, still knows theyhave someone checking in on them and supporting them. Getoff your reddit high horse and thank a [snip] teacher who hasbeen sourcing every ounce of “creativity” to meet the demandsof the education system with minimal support and with educ. ”Certainly, many parents are expressing their support for thehuge efforts teachers are making [18].We are not blaming teachers; we are pointing the fingerat those who are responsible for providing teachers with the technologies they need to carry out their activities duringthe pandemic. Based on the evidence we have gathered, itcertainly seems as if they have been left to find their ownway. That they make mistakes when their employers fail tosupport them is understandable.
Higher education institutions have also been forced to pro-vide teaching, resources and support activities online. Theconcerns about privacy, data protection, verification, collu-sion, cheating, and how to conduct online assessment, aresimilar to those experienced by school teachers. Higher ed-ucation institutions however, have access to vastly moreresources than schools, including an existing distance learn-ing infrastructure, and a relatively high proportion of staffable to work from home.In responding to the crisis, Universities offered access tomultiple online tools, often without due diligence of privacyand security issues, or guidance for staff. There did not seemto be time to think about this in the rush to go online, with thefocus being on delivery, staff/student support and promotingkey public health advice [66].Whilst this is understandable, the lack of oversight mayresult in significant problems in the future, as video confer-encing apps, and an eclectic mix of online tools are usedwithout a second thought (the Zoom app is integrated intoMicrosoft teams [47]). The result is that confidential discus-sions are open to interception, student work may be accessed,exams compromised and sensitive data inadvertently leaked.However, there is some awareness of the issues, and aca-demic institutions worldwide are working to understand andmake sense of this new way of working [42]. Meanwhile, thetechnology companies are under pressure to address con-cerns and to secure their systems [33], but it is likely to betoo little, too late.
Governments are doing everything they can to prevent deathsduring the COVID-19 pandemic. Some governments haveused contact tracing tools, either by mobile phone apps orusing cell tower triangulation [35, 56, 63, 68]. These can traceall the people an infected person has been in contact with toprovide warning of possible infection. Contact tracing is amature technique, which has been used to track tuberculosis[54], SARS [26] or STDs [5] contacts.Yet these apps, even if initially justified during the pan-demic, can very quickly violate privacy and other humanrights after the pandemic has abated [11]. Some countrieshave used contact tracing in an authoritarian and privacyviolating fashion [9, 37, 73].
OVID-19 Technology Concerns , ,
An Israeli company has published an app [12] whichclaims to respect the privacy of citizens, as follows (directquote from Cluley): • Use of the app is optional, not compulsory. Any locationdata collected by the app does not leave the phone, and is notuploaded to the Israeli government. All processing happenson the phone itself. • Those diagnosed with Coronavirus have to volunteertheir location history for use by the app, which is driven bya JSON file that is updated with new data on an hourly basis. • Even if a match is made, the app does not inform theIsraeli Ministry of Health. It’s up to the user to get in touchif the app alerts that there might have been an encounterwith a Coronavirus case. • To reassure users about the behaviour of the app, ithas been released as open source and its code published onGithub. • The app’s code has been examined by security expertsat Profero.All of these efforts, and the motivation to use an app, arebased on the assumption that infection can only occur within6 feet of an infected person. Yet MIT recently published re-search that showed that the droplets from a cough or sneezecould travel up to 27 feet [16].The immediate justifications for extending surveillance ofthe public, uses the rhetoric of war to ‘battle the virus’ and toreinforce its citizen’s sense that ‘we are all in this together’[64]. but the expectation that all good citizens should behappy to utilise the app, and therefore give up some of theirliberties for the benefit of society [25]. This then helps tocreate a moral imperative to comply with requests for quitedraconian restrictions on civil liberties. By using ‘nudge’tactics [52], they attempt to habituate the population intoacceptance of increased electronic surveillance. This meansthat those not engaging can be presented as having a moralfailing or a lack of civic awareness. In terms of the ‘battle’against COVID-19, the expectation is that everyone will do
Figure 4: Google Searches for Surveillance vs. ContactTracing from 10 March 2020 to 10 April 2020 their utmost to prevent its spread, and dire warnings, accom-panied by daily death rates, will serve to sustain pressure tosubmit to increased surveillance. Social shaming regardingthe lock-down conditions is already evident, encouraged andactively promoted by the media [32]. Social media is fur-ther increasing the pressure, and includes trolling, and otherforms of online abuse, aimed at those perceived to questiongovernment requests.This approach is not dissimilar to an oft-repeated state-ment used to shut down concerns about the use of surveil-lance, particularly post 9/11: “ if you’ve got nothing to hide,you’ve got nothing to fear ” [61]. The message here is thatsurveillance that enhances national security and protectsagainst terrorism should take precedence over personal lib-erty. It can be surmised that it is only a matter of time beforesuch rhetoric is resurgent in the public dialogue. In a crisis,most people are eager to help their fellow citizens [70] andcompliance with rules is consistent with this stance. How-ever, a few dissenting voices are expressing concerns aboutthe potential future use of these technologies [53].The acceptance of increased surveillance may not be en-couraged just through the impact of a global emergency,social shaming and nudge tactics. In many countries, bothauthoritarian and democratic, people have become habit-uated to living under surveillance via CCTV, GPS, SmartPhones and during Internet usage, whether that is by thegovernment [21, 69] or by businesses [74]. Many have be-come so accustomed to being under surveillance, that thePanopticon, a prison system of total surveillance and a ‘newmode of obtaining power of mind over mind’ devised byJeremy Bentham [6] has become the reality of our modern,surveillance society [28, 43].As the current situation begins to resolve, questions aboutan end to the increased surveillance will be raised. It is likelythat arguments will then be made to retain these technologiesin the fight against crime or terrorism and above all, to ensurethat “
We are ready next time ". In response, parliaments havean important role to hold the government to account. The UKLabour opposition leader has stated that he will scrutinisethe UK government’s actions and point out any failures thatneed to be addressed [4]. However, the key to the success orfailure of current and future responses to such a crisis lies inhow and what information is communicated to the public.
The UK government passed coronavirus legislation, whichgave police new powers [65]. Very soon after the countrywas put into lockdown, reports of police men and womenexceeding their remit began to emerge. , Karen Renaud , Paul van Schaik , Alastair Irons , Sara Wilford For example, Derbyshire Police used drones to film peoplewalking in the hills, on their own, to name and shame themonline [19] and dyed the local pool black so that peoplewould not want to take a swim [49]. This police force is notthe only one to overstep the mark.Warrington police posted to Twitter that ‘six people hadbeen summonsed for offences relating to the new coronaviruslegislation to protect the public’ [71]. The violations includegoing ‘ out for a drive due to boredom ’ and ‘ multiple peoplefrom the same household going to the shops for non-essentialitems ’. The legislation does not specify what essential itemsare, so the police are clearly deciding for themselves. Forexample, a news report on the 30th March reported thatpolice had ruled Easter eggs “non-essential” [23] (in the weekbefore Easter). Wine and crisps too, were ruled non-essential[50]. Given that the government requires that citizens donot do non-essential shopping, would it be the shops thatare responsible to ensure that non-essential items are notoffered for sale?Slater [60] argues that: “
The thing is when you give police– or in the case of these new regulations, police, communitysupport officers and other people ‘designated’ by local author-ities – the power and moral authority to throw their weightaround, many of them are bound to overinterpret their respon-sibilities and overstep the mark. ” This sentiment is echoedby Campbell [10].Indeed, police chiefs have now become concerned enoughto issue a statement saying they will be drawing up newguidelines so that their police forces [48] do not overreachtheir authority. This was in response to former SupremeCourt Justice Lord Sumption saying that Britain risked turn-ing into a “police state” [55]. The Home Secretary Priti Patelwas moved by comments issued by Northamptonshire PoliceChief Constable Nick Adderley to issue a warning to policeon the 10th April saying that road blocks and checking ofsupermarket trolleys were “not appropriate” [62].We believe many of these issues can be traced back topoor communication from the UK government about whatactions the police should be taking. In the absence of clarity,some people will naturally overreach, as indeed they have.
Grater [30] reports on Emily Maitlis calling the UK govern-ment’s language ‘trite’ and ‘misleading’, when they werediscussing the COVID-19 virus. She said that UK Cabinetmember Dominic Raab erroneously suggested that peoplecould survive the illness through fortitude and strength ofcharacter. She also pointed out that the virus and the lock-down was much harder on the poor, than on the wealthy.During the week of the 6th April 2020, every householdin the United Kingdom received a letter from the PrimeMinister. With the letter was a leaflet which included the diagramin Figure 5. This graph was rather puzzling and seemedinaccurate since the letter came from the Prime Minister,who himself had just been admitted to hospital
10 days afterfalling ill with the virus. This diagram conflicts with the textin the leaflet, which suggests that Person C should isolatefor an extra 7 days, now that Person D has started exhibitingsymptoms.From the very beginning, when the coronavirus emergedin Wuhan, the one consistent message has been to washhands. On the other hand, the communication around facemasks has been confusing and inconsistent. The GoogleTrends graph in Figure 6 demonstrates the uncertainty aroundface masks, as evidenced by increased numbers of Googlesearches. People were initially told that face masks wereineffective [34]. Then, on the 1st April, the World Health Or-ganisation (WHO) announced that it was considering chang-ing its guidance on face masks [20]. On the 7th April, theCentre for Disease Control (CDC) recommended wearingface masks in public [22]. On 8th April, the WHO announcedthat there was no evidence to suggest wearing a face maskwould prevent healthy people from catching Covid-19 [29].These kinds of conflicting messages have led to a great dealof uncertainty.
Organisations should have contingency plans to supporthome working. This ought to include a suite of technologiesthat people are given to ensure that their online activitiesare carried out securely. Moreover, these ought to be testedto ensure that employee privacy is preserved. If people areunder pressure to do their jobs, without being given thenecessary tools, they are likely to find a way. Humans areendlessly innovative in overcoming obstacles and finding away to fulfil their commitments.Here, we present some guidelines and recommendationsregarding security and privacy for private companies, publicorganisations and third-sector organisations in response tothe COVID-19 crisis.
Organisations should build on their existing informationsecurity and privacy policies by updating these to ensurethey cover unforeseen problems that have now been exposedby the pandemic lockdown. Issues to be addressed includevideo-conferencing and other tools used to support remoteworking, teaching or learning from home and the manage-ment of signing up to applications or websites.As it is unlikely that staff will fully read and/or understandthe complete policy, organisations should consider creating asummary of topics that are specifically relevant to the crisis,
OVID-19 Technology Concerns , ,
Figure 5: CORONAVIRUS Stay at Home Protect theNHS Save LivesFigure 6: Hand Washing vs. Face Masks with clear advice, and communicate these in a straightfor-ward way to their staff, with a link to full details within theapplicable policy.Based on existing research evidence [31], this could be aneffective way of positively influencing staff behaviour to re-duce security and privacy problems. Similarly, governmentsshould build on existing guidance by updating this for theircitizens in terms of information security and privacy, and communicate the main points in a straightforward manner,with a link to full details. This will alleviate the problemshighlighted in Section 4.2.2.
Technology Choice:
A co-ordinated approach is needed toanalyse and identify the security and privacy strengths andweaknesses of video-conferencing and other networked tools(Section 3), and then to publicise the results with straight-forward guidance to the general public. This is importantto ensure that users use appropriately secure and privacy-protecting tools and appropriate tool configurations to pro-tect their information and preserve their privacy.
WiFi:
Consider the use of WiFi. Employees should avoidthe use of public WiFi and make sure that home WiFi isas secure as possible. Attempts should be made to ensurethat routers in the home are password-protected and, wherepossible, those working at home should have as up to datea router as possible. More recent routers, those less than 5years old, have more built-in security.
Authentication:
Those working from home should fol-low the advice given by their organisations’ IT services anduse approved (and supported) software. It is good practiceto make use of strong passwords and ensure that, wherepossible, multi-factor authentication is utilised. Make surethere is up to date antivirus software in place and installupdates and patches as soon as they become available, aslong as these are from official sources.
Access Control:
In addition, every attempt should bemade to separate work and personal devices and peopleshould be advised not to share work technologies with fam-ily members.In this co-ordinated approach, there may be roles for third-sector organisations that specialise in information securityand/or privacy and for government security organisations. Itis important that the communication of the guidance be clearand available from a single access point. This will allow usersto more easily locate, assimilate and apply the guidance [67].
The development of a wide variety of contact-tracing apps(Section 4.1) could be useful in terms of promoting competi-tion and innovation to improve the quality of app supportfor combatting the virus. However, given the crisis at thistime, collaboration can be more beneficial than competition[8], as the latter:(1) may be too slow to improve quality on time, as thevirus does not follow the competition’s timetable, , Karen Renaud , Paul van Schaik , Alastair Irons , Sara Wilford (2) may prioritise the app’s ‘virus-combat effectiveness’ atthe cost of information security, privacy and other consider-ations, and(3) may be too slow in terms of take-up for people tochoose the best possible app because of information overload(too many apps on offer with too many choice attributes toconsider) [38] and choice inertia (people are slow or reluctantto change to another product even if it is better) [3].Therefore, in crisis times such as this, instead a collabora-tive multidisciplinary approach should be followed to ensurethat effectiveness, security, privacy, usability and other con-siderations are taking into account.In addition, iterative design and testing is necessary toensure quality improves during development, but also afterdeployment to continually improve the app [13, 24].A single app per country or coalition of countries (forexample, the EU) would provide a single access point. Thiswill allow users to more easily locate, assimilate and applythe information. An example of a pan-European approachto develop a GDPR-compliant app is currently in operationunder the name Pan-European Privacy-Preserving ProximityTracing (PEPP-PT2020) .More generally, from the perspective of privacy, severalevaluation criteria have been identified that specifically contact-tracing apps should meet [17]. These are: • limiting the per-sonal data gathered by the authority; • protecting the anonymity of every user; • not revealing to the authority the identity of users whoare at risk; preventing the system can be used by users tolearn who is infected or at risk, even in their social circle; • preventing users from learning any personal informationabout other users; • preventing external parties from exploiting the systemto track users or infer whether they are infected; • putting in place additional measures to protect the per-sonal data of infected and at risk users • providing support for people to verify that the systemdoes what it says.Contact-tracing apps will vary in the extent to which theysupport privacy. For example, the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) app [57] aims topreserve privacy and maintain security, but does not explic-itly address all these criteria. Regarding communication weaknesses (Section 4.2.2), anymeasures and the communication of these measures needfirst to be thought through thoroughly and they should be based on the nationally and/or internationally available rele-vant expertise. Therefore, the recommendation is to makegood use of academic and other experts in relation to thecontent and communication of measures.In addition, the communication and measures should bethoroughly evaluated before they are released within thetime constraints. This is because poor communication canhave adverse consequences in terms of potentially length-ening the pandemic, as our analysis of government com-munication shows. It should be possible to do the requiredevaluation relatively quickly by drafting in academic andother experts to help combat the crisis. Whether their contri-bution is made mandatory or not, many of them will be keento help contribute to solving the crisis, in any case, whengiven the opportunity. These are unprecedented times and the move to home work-ing has been implemented in a necessarily speedy way. How-ever, as the initial implementation settles and people beginto get used to the “new norm”, there is a need to reflect onthe efficacy and viability of thereof. The stresses of need-ing to participate in organisational activities mean that theability to engage could lead to usual security measures andnon-compliance with organisational policies. Cyber crimi-nals will likely exploit weaknesses and vulnerabilities in thehome working environment.As has been illustrated by our narratives, the vulnerabili-ties can result from the lack of specific policies, consequent“needs must work-arounds”, insecure hardware and/or non-robust software applications. These, combined with an in-crease in malicious attacks, mean that the home workingenvironment is replete with potential digital threats.We do not seek to criticise anyone for the technologiesthey make use of in an emergency. We wrote this paper tohighlight the difficulties employees faced and the securityrisks quarantined citizens unwittingly exposed themselvesto. We suggest a better way forward as the main contributionof this paper.
REFERENCES
PloS One
14, 3
OVID-19 Technology Concerns , ,
Sex Transm Infect
87, Suppl 2 (2011),ii34–ii36.[6] Jeremy Bentham. 1995.
The panopticon writings . Verso Trade, London,UK.[7] Matt Binder. 2020. Stolen Zoom passwords and meeting IDs are alreadybeing shared on the dark web. https://mashable.com/article/stolen-zoom-passwords-dark-web/?europe=true Accessed 9 April 2020.[8] V. Boss, R. Kleer, and A. Vossen. 2019. Walking parallel paths or takingthe same road? The effect of collaborative incentives in innovationcontests.
Managing Innovation: Understanding and Motivating Crowds
Security and usability:designing secure systems that people can use
The Journal of Strategic Information Systems
The com-munitarian reader: Beyond the essentials . Rowman & Littlefield.[26] Luca Ferretti, Chris Wymant, Michelle Kendall, Lele Zhao, Anel Nurtay,Lucie Abeler-Dörner, Michael Parker, David Bonsall, and ChristopheFraser. 2020. Quantifying SARS-CoV-2 transmission suggests epidemiccontrol with digital contact tracing.
Science
Discipline and punish
The CPA Journal
Computers in Human Behavior
55 (2016),51–61. , Karen Renaud , Paul van Schaik , Alastair Irons , Sara Wilford Surveillance, Crime and Social Control
Critical DiscourseStudies
Journal of DigitalLearning in Teacher Education
Nothing to hide: The false tradeoff between privacyand security
Risk Analysis of Natural Hazards
China’s golden shield: corporations and the de-velopment of surveillance technology in the People’s Republic of China