At a glance.
- Will surveillance during the pandemic outlast the emergency?
- Britain's troubled contact-tracing app stays troubled.
- Crisis as opportunity? Cyber norms and the pandemic.
Will surveillance during the pandemic outlast the emergency?
The Washington Post's Cyber 202 discusses concerns that various forms of surveillance, including but not limited to technology designed to facilitate contact tracing, will endure beyond the COVID-19 pandemic itself. Some, like the ACLU's Jennifer Granick, warn of the perennial temptation to mission creep, and they recommend that strict limits be placed on the collection and use of data during the emergency. Others recommend paying close attention, when crafting law and policy, that an exceptional set of circumstances don't reshape default expectations of what such law and policy should look like. Extraordinary conditions are an unsure guide to how ordinary life might be lived.
Britain's troubled contact-tracing app stays troubled.
Authorities in the UK acknowledged, ComputerWeekly reports, that the NHS contact-tracing app won't make the June 1st deadline for a national rollout. This is due in part to skittishness by the governments of Northern Ireland and Scotland about the privacy and efficacy of the system. Northern Ireland, for example, doesn't want a system that will impede travel across the border with the Republic of Ireland. NHS Highland, responsible for healthcare in Scotland, has undertaken development of its own system designed to protect residents, visitors, and staff in care homes from infection by "creat[ing] virtual geozones around the care home and particularly sensitive or quarantined areas to control access, as well as dynamic personal two-metre geozones around everyone with the app." It's also due in part to what's increasingly perceived as an unacceptable degree of bugginess in the app's source code itself ("it's just getting silly now," as Gizmodo UK put it). In any case, a June 1st rollout is now generally regarded as an impossibility.
Crisis as opportunity? Cyber norms and the pandemic.
A post on the Council of Foreign Relations blog argues that the COVID-19 pandemic represents an opportunity for the US to make an enduring contribution to the development of cyber norms. Columbia University's Jason Healey and Virpratap Vikram Singh argue that the current emergency may be used to achieve some clarity about norms in cyberspace. The post's title urges the US to "double down on cyber norms," but their argument is more nuanced than the hard-nosed cardsharp language of the title suggests.
They look at last week's warning from the FBI and US Department of Homeland Security concerning Chinese espionage directed against organizations conducting biomedical research into COVID-19, and find that warning's contentions that such espionage jeopardizes effective treatment of the disease to be "flimsy." And they think it unrealistic to think that any nation-state's intelligence services would agree to refrain from collecting information about medical treatments. A pandemic is a threat to any nation. It would be irresponsible for them to renounce such collection. They don't put it this way, but it would amount to professional malpractice, and expecting such restraint to become an international norm is as naive as the attitude Secretary of State Stimson displayed when he withdrew funding from the joint State-Army Black Chamber in 1929 on the grounds that "Gentlemen do not read each other's mail."
What Healey and Singh recommend instead is insistence on certain familiar distinctions. They suggest that any reasonable set of norms should include, as a minimum, the following features, many of which will be familiar in spirit to students of the laws and customs of armed conflict:
- Cyber incidents shouldn't cause direct harm, which amounts to an application of principles of proportionality. (It's worth noting that there have been some concerns that Chinese espionage against vaccine research not only stole data, which in itself is arguably "honorable espionage," but may have also corrupted research data, either intentionally or not. If it did so, that would seem to constitute "direct harm." As the authors put it, "interruption of the availability of or, even worse, manipulation of vaccine and public health data is reckless and completely unacceptable.")
- Cyberattacks against protected organizations like hospitals should be prosecuted as crimes, and such facilities should be off-limits to attack, an application of the principle of discrimination.
- "States agree that espionage regarding vaccine and public health data is acceptable. Such espionage should be as non-disruptive as possible so as not to interrupt the work of the medical and research teams. The fruits of such espionage, such as stolen intellectual property, cannot be used for commercial advantage." The insistence that espionage not serve commercial advantage has been a longstanding American position, and is frequently cited by US authorities when they're asked why American spying is different from Chinese spying.
- Information operations shouldn't interfere with crisis response.
- States should not permit their territory to be used by cybercriminals or other malicious actors. Doing so would constitute failure to live up to the responsibilities of sovereignty.
- Finally, governments would voluntarily cooperate "to hold states accountable when they act contrary” to their obligations, which amounts to an invocation of a responsibility for collective security.
Developing norms for conduct in cyberspace should realistically recognize the truth of former Director NSA and Director of Central Intelligence Hayden's observation after the Office of Personnel Management hack that there's such a thing as "honorable state espionage," and "shame on us" if we can't block it. So perhaps the simplest formulation would be, spying is in, but sabotage and criminal theft are out.