Contact Tracing: The Cybersecurity Risk of Cellphones

Thursday, July 16
Matt Boehnke

Matt Boehnke

Assistant Professor & Director of Cybersecurity
Columbia Basin College


Restrictions and regulations being placed on businesses in an effort to prevent COVID-19 transmission have created additional expenses and stress for owners and employees alike. Several measures to trace the spread of COVID-19 rely on smartphone technology to make it effortless and foolproof for people to participate. But this supposed simplicity raises many questions about what information is being shared by individuals, who has access to it, and how these contact tracing apps and programs affect the security of devices and networks.

Matt Boehnke, who has spent over 20 years in cybersecurity and information systems, explained how some of these contact tracing applications work, and discussed some basic practices that businesses can follow to maintain control over the information they are sharing with third parties. Matt is currently the Director of Cybersecurity at Columbia Basin College and began his IT career in the Army, where he served for 21 years.

Matt mentioned that the COVID-19 outbreak started and it took several weeks before there was any significant guidance for companies on how to prevent their employees from becoming infected or transmitting the virus to other employees. Only after several weeks of collaboration and information sharing was guidance made available. Currently, the University of Washington, Google, and Apple are collaborating on contact tracing software that can provide information that can help health officials manage and respond to the spread of COVID-19 while protecting individuals’ health data.

While collaboration allows for useful large-scale management of data, it creates opportunities for abuse of that data, and certain standards should be implemented to ensure security. An MIT program that tracks COVID-19 tracing applications found that there are currently over 100 different applications with varying standards for protecting personal data.

Matt explained that there is a bi-partisan effort in Congress to set standards for contact tracing software. Senators Maria Cantwell and Bill Cassidy have introduced The Exposure Notification Privacy Act, which would require that data be destroyed after a certain period, that companies offering these applications must collaborate with the government, that the applications must be voluntary, and that commercial use of data collected by these applications is prohibited. Matt remarked that the collaboration between Apple, Google, and the University of Washington has already established these requirements as a part of the contact tracing program they are developing.

Matt offered some suggestions for good cybersecurity habits that can be easily implemented. He recommended setting a date for “spring cleaning” of company devices, which includes uninstalling any unused applications, as well as removing documents that do not need to be stored on those devices. He also mentioned that he has conducted internal “phishing” tests by sending emails to employees that mimic tactics used by email scammers. These emails contain links or attachments that, if followed or downloaded, will alert the IT staff that the employee may need additional training on email security protocols.

Much of Matt’s presentation was devoted to answering questions from the online participants, expressed concerns about what data is being collected, and how they can get employees to comply with added security requirements. Many participants were equally concerned about their personal phones, which Matt advised will become even more vulnerable as internet-connected devices for health, business, and convenience proliferate in the home.

To close the presentation, Matt stressed some simple security measures that should always be followed. People should change their passwords regularly, but should not need to change them more frequently than every 90 days unless there is a significant breach in security. Most importantly, Matt reminded that the saying “you get what you pay for” is fully applicable to software, applications, email, and online services: if it is free, then you are paying with some form of information about yourself.