At a glance.
- Snooper's charter expansion.
- Intelligence services using COVID-19-themed phishbait.
- Technical aids to contact tracing.
HM Government plans to expand access under the Snooper's Charter.
The British government has expressed its intention to expand access to information collected under the Investigatory Powers Act (commonly known as the "Snooper's Charter"). The Guardian reports that the additional agencies to be given communications data obtained under the Act included the Civil Nuclear Constabulary (the police force that protects civilian nuclear sites), the Environment Agency, the Insolvency Service, the UK National Authority for Counter Eavesdropping ("an anti-espionage service"), and the Pensions Regulator. The government's memorandum explaining the rationale for the change says, "These regulations include the addition of five public authorities who will gain the power to obtain communications data as they are increasingly unable to rely on local police forces to investigate crimes on their behalf."
Intelligence services craft phishbait to follow COVID-19 pandemic news.
Google's Threat Analysis Group (TAG) has a report on how nation-states are using COVID-19 as phishbait. TAG says it's tracked "over a dozen" government threat groups phishing with coronavirus lures. The goal of the attacks has been either delivery of malware packages or credential harvesting. Many of the targets were US Government employees. These were often baited with bogus offers of free fast food, presented as a generous gesture from various hospitality chains. These attempts were on the whole indiscriminate mass-mailed spam.
TAG doesn't offer any attribution of these phishing expeditions, but they do identify two threat groups by name, both of which are prospecting international health organizations, including WHO, the UN's World Health Organization. These are Charming Kitten, associated with Iran, and Packrat, a South American group whose sponsorship is less clear. Charming Kitten has been sending emails that spoof WHO as the sender; Packrat has been running bogus WHO pages.
Google doesn't see this trend as representing an increase in the amount of state-run operations. It's a shift in tactics and choice of bait, not a significant increase in operational tempo.
Governments continue experiments with technical aids to contact-tracing.
Singapore, Taiwan, and South Korea have all worked out contact-tracing technologies that appear to have shown success in containing the spread of COVID-19. They've gotten some positive notice on their attention to privacy, especially insofar as privacy is conceived in terms of measures to limit the possibility of government abuse, as ZDNet reports. But the very speed with which the applications were developed raises questions about whether they might be buggy with respect to unauthorized access or unintentional data exposure.
In the US, Senator Markey (Democrat of Massachusetts) has sent Vice President Pence a letter calling for a comprehensive approach to contact-tracing. Specifically, the Senator urges the Vice President to "to design and implement a comprehensive strategy for COVID-19 contact tracing in the United States." It should be "science-based," and incorporate these features:
- "Integration with Comprehensive Public Health Strategy"
- "Contact Tracing Workforce Surge"
- "Voluntary Participation"
- "Data Minimization and Retention Limitations"
- "Data Use Limitations"
- "Data Security"
- "Accountability and Recourse"
The Senator's letter explains each of these in brief detail. Some of them are old-school, like the "Contact Tracing Workforce Surge," which envisions a Federal Emergency Management Agency led effort that would organize public health organizations, first-responders, and volunteers who would provide the boots on the ground to track the infection manually. Any technology deployed would be an adjunct to such efforts: the participation of individuals would be voluntary and obtained on an opt-in basis.