TechByter Worldwide

Listen to the Podcast


15 May 2020 - Podcast #693 - (21:52)

It's Like NPR on the Web

If you find the information TechByter Worldwide provides useful or interesting, please consider a contribution.

PayPal

Subscribe

15 May 2020

Can Privacy-Preserving Contact Tracing Work?

One of the items in Spare Parts last week described a plan by Apple and Google to allow their respective smart phones to communicate with each other. The goal is to help public health officials locate people who have crossed paths with people who were later found to be COVID-19 positive. It's a good idea, but there are many challenges.

 Click any of the small images for a full-size view. To dismiss the larger image, press ESC or tap outside the image.

TechByter ImageOhio's Department of Health Director, Doctor Amy Acton, explains the underlying problem this way: As states dial back the restrictions on which businesses can be open, it's a foregone conclusion that COVID-19 cases will increase. The key now will be to identify cases faster with more testing, which is still lagging badly, and then to perform contact tracing so that people who have been exposed to the virus can be identified and quarantined.

Apple and Google say that they can use Bluetooth technology and special apps that users would need to download, install, and activate. It's certain that some smart phone owners, citing privacy and civil liberties concerns, will refuse to use these applications. Even so, partial coverage would seem to be an improvement over no coverage. Contact tracing is a slow process that requires a lot of people and most states don't have the money to hire the contact tracers they'll need.

The companies have already published Bluetooth specifications that are subject to change as the project matures. They have also published specifications for encryption of data and an application programming interface specification for exposure notification.

System Mechanics

Contact tracing is important because it allows public health authorities to measure and slow the spread of infectious diseases by gathering information from infected individuals about the people they've been in contact with. These people can then be notified by public health authorities to take appropriate safety measures, such as undertaking self-quarantine and getting tested.

In mid-April, Apple and Google jointly described a plan that would have phones with the app installed broadcast what they call a "privacy-preserving identifier" using Bluetooth. The identifier isn't directly linked to any user information and it would change several times each hour. Other phones would broadcast their own identifiers and listen for those from other phones.

Then, at least once per day, the phone will download a list of beacons that have been verified as belonging to people confirmed as positive for COVID-19 from a public health authority. Each device will check the list of beacons it has recorded against the list downloaded from the server. If there is a match between the beacons stored on the device and the positive diagnosis list, the user could be notified and advised on steps to take next.

Although users who want to participate would need to download the app manually at first, there are plans to add the capability at the operating system level "to help ensure broad adoption." Those who want to opt out could still do so, but the proposed technology would work even without the app. When a match is found, the user would be encouraged to download the app.

Bad actors could mimic warnings and lead users to malware sites. This is an issue that the developers would need to address. Apple and Google say that only public health authorities will have access to the technology and apps that they develop would need to meet "specific criteria around privacy, security, and data control."

Privacy and civil liberties concerns have already been expressed and the developers have tried to address those concerns. Access to the technology will be granted only to public health authorities who would be able to access a list of beacons provided by users confirmed as positive for COVID-19 who have opted in to sharing them. The system is being designed so that Apple and Google have no access to information related to any specific individual.

Apple and Google also state flatly that there will be no monetization based on date from the project by either company and that both Apple and Google will minimize data used by the system and rely on users' devices to process information.

The system uses more than just location data to determine when someone might have been exposed to someone with the disease. Public health authorities will be able to establish a threshold for the amount of time that one person was exposed to another. The two users must be within Bluetooth range for at least 5 minutes to register a match. For contacts that are longer than 5 minutes, the system will report time in increments of 5 minutes up to a maximum of 30. Because proximity is also essential in assessing risk, the system will compare Bluetooth signal strength between the two devices; the closer they are, the higher the signal strength and the greater the risk.

If I may include a personal note here, there are people who continue to say that it's just like the flu. It isn't. It's more contagious than the flu and the death rate is higher. The incubation period is also a lot longer, which allows people who are infected and contagious to spread the disease for a week before they even suspect that they may have it.

Being an old guy, I remember polio outbreaks that occurred regularly from the early 1900s until the 1950s when Doctor Jonas Salk developed a vaccine that was injected. Doctor Albert Sabin later developed an oral vaccine. Polio outbreaks were somewhat localized and the only way to remain safe was to avoid contact with others. Swimming pools were closed. Large gatherings were cancelled. Sound familiar? A giant clinical test began in 1957. I remember the shot in part because the photographer from my hometown paper used my picture (eyes closed in horror) receiving the injection.

But then — just like that — polio was no longer a worry for children or their parents. Perhaps scientists will find a vaccine that will protect the population from this new coronavirus, but that's unlikely to happen for months (if we're extremely lucky) or at least a year if the research proceeds at a normal pace.

In the meantime, we have to depend on social distancing, masks, and people who are willing to assess risks to themselves and to others. It may be that technology can help and that it can help in a way that doesn't adversely affect civil liberties and privacy while allowing society to resume some "normal" activities even if they're less "normal" and more "new normal". But even if there is some data leakage, I wonder if that might not be preferable to death from a nasty virus.

Will It Work?

After all that build-up, you might have already concluded that I think this will work because it's a great idea. Half of that is correct. It's a great idea, but it's doomed from the outset.

First, it works only with Apple and Android smart phones. So that eliminates people who don't have smart phones. Many of these are older and poorer, so the most vulnerable people don't have smart phones. Some people who do have smart phones won't use the apps because they have fears about privacy. The people who are making the most noise about opening everything instantly regardless of risk also seem to be the people who are most likely to consider this to be a tracking program.

It isn't, of course. The developers have created a system that maintains privacy, but that doesn't matter to those who see evil even when it doesn't exist.

The initial responses haven't been encouraging. A Washington Post-University of Maryland poll says that sixty percent of Americans can't or won't use such an application. Nothing can be done to make it possible for those who can't use the system to participate, but those whose initial knee-jerk reaction is to oppose the technology might be persuaded to accept it.

Probably not, though.

The Washington Post article by Craig Timberg, Drew Harwell, and Alauna Safarpour notes that about 16% of Americans don't have a smart phone. After accounting for those people and those who have compatible phones, about 41% would be eligible to use the service. Only 17% of those said that they probably would use such an app and 32% said they might, while 20% said that they definitely would not use such an app and 30% said that they probably would not.

Even if all of those who said that they definitely or probably would use such an app actually did use it, that would cover only about 20% of the population. That's simply not enough for this to have any chance of being successful.

Sadly, it doesn't look promising.

Short Circuits

Avoiding Malware-Laced Files and Links

You've probably already heard my tirade about the dangers of unexpected attachments in emails and messages. You may even be tired of the tirade because the basic steps are so easy. But other threats exist.

Probably there has been no time when the threats were more pronounced. Scammers and thieves take advantage of big events and COVID-19 is perhaps the largest single event since the advent of ubiquitous computers.

Because crooks are clever it's important to be more on guard than normal. You already know not to open attachments or follow links that have come from people you don't know. That's the easy part. The correct response to files like these is just to delete them without question.

But what about an attachment or a URL from someone you know? The message may not be from someone you know. There are usually red flags: The text in the message doesn't sound like your friend, or it's someone who has never before send a link or a file, or maybe the email address isn't the one your friend usually uses.

We know that it's relatively easy for someone to create a phony Facebook account that uses a friend's photo, and this phony account can send a file or a link to you. So it's probably a good idea to check out any file or link you receive before trying to do anything with it.

I've described how to use a PowerShell command to load the text from a website so that you can then examine the code. That's a fine option if you're able to read and make sense of HTML files that may contain embedded Javascript. Fortunately, there's an easier way to check a URL.

Take care not to click the URL because that will open the computer's default browser and connect to the website. Instead, right-click the URL and choose Copy Hyperlink. Don't attempt to select and copy the displayed hyperlink. There are two reasons for this: First, the displayed hyperlink (https://goodsite.com) may not show the actual target (https://badsite.com); second, while clicking and dragging, it's easy to left-click the URL and that will take you to a site you may not want to visit.

After copying the URL, open the Virus Total website, choose the URL option, paste the link in, and press Enter. You'll then see a nearly immediate response from 50 or more security organizations. If all of them report that the site it clean, continuing to visit the site can be considered reasonably safe.

Files are a bit more complicated, but the same website can help. I generally start by saving the file to the computer and running the installed antivirus application on the file. If the computer's antivirus application reports the presence of malware, delete the file and there's nothing more to do. If the installed antivirus application finds nothing, it's still a good idea to get a second opinion because every protective application will miss some files.

So head back to Virus Total, select the File tab, click Choose File, and navigate to the location where you saved the file. If the file you're checking is an installer for an application, Virus Total will probably return a nearly instantaneous result. It calculates several hashes, including an SHA-256 hash, for the file and then compares that value and the name of the file to files that the dozens of systems know about. If they all report "Undetected", you can reasonably consider the file to be safe.

This is a good test for any file you've downloaded, even if it comes from a site that you trust.

If the file you want to check is a word processor document, a spreadsheet, an image, a PDF document, or a zip file, the process will take longer because it's a file the system hasn't seen previously. After the file is uploaded to Virus Total, it needs to be passed off to the various malware detection systems. The process is fast, and all of the test files I've uploaded have been analyzed in less than a minute.

VirusTotal is free to end users for non-commercial use. Paid services are available to banks and other businesses. The company works with some 70 antimalware providers, but does not distribute or promote any of them.

Additional information is available about the results. Besides knowing that a given antivirus application has detected a submitted file as malicious, you can also see each provider's detection label that gives insight into the type of threat presented. Most of the URL scanners differentiate between malware sites, phishing sites, and suspicious sites. Some engines will provide additional information and state explicitly whether a given URL belongs to a particular botnet.

Have You Looked at Edge Lately?

Microsoft's new Chromium-based version of Edge is making progress and promises to be the first worthwhile browser from Microsoft. I doubt that I'll defect from Firefox to Edge, but it's good to see that Microsoft finally has a better browser. It's only been 25 years since the company released the first version of the certifiably lousy Internet Explorer.

As work continues on the browser, the number of extensions available for Edge continues to increase. The numbers still don't approach those for Chrome or Firefox, but nearly 100% of the most popular extensions now have Edge versions.

Those who install Edge now have three choices:

TechByter ImageDuring development, Microsoft is encouraging input from users on the Edge Insider site, where bug fixes are announced and new features are explained.

The expansion of extensions for Edge include popular choices such as LastPass, AdBlock Plus, Honey, Evernote, Ghostery, and even a replicated original PacMan game.

TechByter ImageIf you visit websites written in languages other than English, you probably already use Google Translate, but now there's an add-on for Edge that has similar functionality. Edge Translate is better in some ways that Google's function.

TechByter ImageAnother clever add-on can help users find out who owns a website. This is easy enough without a plug-in by just visiting a "whois" service that's provided by virtually all domain registrars. DNSlytics is better, though. One catch is that it's not currently available in the Microsoft Store, but you can visit the developer's site and download the Chrome version. Once installed, visit a website and click the IP Info icon in the toolbar. You'll find information about the network where the site is hosted, hosting information, a list of associated domains, and a lot of other useful details. This can be helpful when you want to learn something more about a website.

Every major browser, and most of the minor ones, have lots of extensions that can be installed to give the browser features you wish it had. Whichever browser you use, take a look at the publisher's list of extensions occasionally to see if there's something you'd like to add.

Spare Parts

Windows File Explorer Tricks

TechByter ImageNobody pays much attention to the Windows File Explorer. You open it when you're looking for one or more files, do something with what you find, and close it. But the Explorer has some handy tricks that can save time for users.

Open the View tab and activate Item Check Boxes. When you mouse over a detail line or an icon in the Explorer, you'll see a box on the left side of the name. To select one or more files, just click the checkbox. You may think this is silly if you routinely use Ctrl and Shift to select more than one file, but sometimes this feature can be handy and it doesn't preclude using the old method.

TechByter ImageThe other trick is on the Home tab. Let's say a directory contains a few files you want to keep, but you want to delete the rest. Select the files you want to keep, click Invert Selection so that the Explorer clicks all of the files you didn't select, and then press the Delete key. This is another task that can be done using the old Ctrl and Shift selection methods, but it might save a bit of clicking around.

The Market for Wearable Healthcare Devices Expands Rapidly

It's probably no surprise that large numbers of people are buying wearable and portable healthcare devices in the COVID-19 age. The market is predicted to reach $46.6 billion by 2025.

The market for diagnostic devices such as ECG, heart, pulse, blood pressure and sleep; therapeutic devices such as those used to deliver pain medication or insulin; and those that contain applications for assessing fitness will grow at an annual rate exceeding 20%. The research is by Markets and Markets.

This market is largely driven by the increasing awareness of fitness and healthy lifestyles, development of technologically advanced products, growing geriatric population and subsequent increase in the incidence of chronic diseases, cost-containment in healthcare delivery, robust penetration of 3G and 4G networks for uninterrupted healthcare services, increasing penetration of smart phones and the growing number of smart-phone based healthcare apps and growing preference for wireless connectivity among healthcare providers are driving the growth of the global wearable healthcare devices industry. Growing adoption of mobile platforms, increasing adoption of AI and 5G, and the growing awareness & preference for home healthcare are opening opportunities for the growth of the market.

Twenty Years Ago: Kodak Desperately Seeks Relevance

By 2000, the message was clear: Home movies were now videos and digital cameras were the future. Kodak could see nothing but declining film sales and, although the company also made low-end consumer cameras, film was the company's primary profit center.

The company began shipping a PalmPix camera, an attachment that turned a Palm organizer (remember those?) into a digital camera.

It wasn't exactly a camera, either. The $179 device works with Palm III and Palm VII organizers. Kodak's suggested uses for the device include capturing notes from a conference white board and documenting trade shows.

Kodak's digital cameras were disappointments. In 2001, only Sony sold more digital cameras than Kodak, but it was losing money on every camera sold. Kodak went bankrupt in 2011 and emerged from bankruptcy in 2013.