ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

COVID-19 is the most significant medical crisis the world has faced since the Spanish Flu in 1918. Ulti-mately, the solution will likely involve a combination

of prevention (hygiene and vaccinations), detection (testing), reaction (quarantining), and reflection (lessons learned). But until preventative measures are widespread, the most effec-tive and reliable defense against the spread of COVID-19 is contact-tracing:

Contact tracing is a decades-old tool for helping control the spread of infectious diseases. It has been used success-fully in efforts to contain Ebola, SARS, MERS, tuberculo-sis, and other disease outbreaks. It is now a critical part of the fight against COVID-19. In practice, contact tracing begins with those who test positive for COVID-19. Those with whom they have had close contact are then identified, as they may have been infected too. These contacts are no-tified and supported through a period of quarantine—un-til they develop symptoms, pass the window of risk, or are proven not to have been exposed [4].

Unfortunately, contact tracing is a highly labor-intensive pro-cess that is often infeasible at scale [20], especially in dense environments. Multiple contact-tracing solutions have been

proposed to meet this challenge, and governments around the world are racing to implement them. But these can have significant consequences for individual privacy. From a re-cent publication in leading medical journal The Lancet by Turing Award recipient Yoshua Bengio:

Despite the potential advantages, most of the applications in use or under consideration have an impact on indi-vidual privacy that democratic societies would normally consider to be unacceptably high. In a free and democratic society, there are major concerns regarding privacy [3].

In a June 2020 review, the head of Amnesty International’s Security Lab, Claudio Guarnieri, warned:

Bahrain, Kuwait, and Norway have run roughshod over people’s privacy, with highly invasive surveillance tools which go far beyond what is justified in efforts to tackle COVID-19. Privacy must not be another casualty as gov-ernments rush to roll out apps [1].

The goal of this article is to answer the following question: Is it possible to design practical contact-tracing technology that does not compromise on privacy or functionality? And what might such a system look like?

Can governments and companies preserve individual privacy in the rush to build COVID-19 contact-tracing solutions? We answer this question and propose a solution using Privacy by Design, a global standard that defines seven foundational principles to design privacy-preserving systems.

By Richard Abrich and Gary S. Chan

Privacy-Preserving Contact Tracing Privacy Privacy

Preserving Preserving Contact Tracing Contact Tracing

12 – ISSA Journal | November 2020

To answer this question, we will evaluate the degree to which privacy is upheld in existing contact-tracing systems using the Privacy by Design framework [7]. Then we will apply these principles to design a contact-tracing solution that strongly preserves individual privacy.The Privacy by Design framework is a set of design princi-ples that provide individuals with control over their infor-mation and has become a global standard. It is recognized by the US Federal Trade Commission as one of its three rec-ommended practices for protecting online privacy [11], and it was incorporated into the European General Data Protection Regulation (GDPR) [10], one of the most comprehensive and wide-reaching privacy laws on the planet.

Principle 1: Proactive not reactive; preventative not remedial

The Privacy by Design (PbD) approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred—it aims to prevent them from occurring. In short, Privacy by Design comes before the fact, not after [7].

It often seems like privacy is an afterthought or even pur-posely ignored. Take, for example, Bahrain’s “BeAware Bah-rain,” Kuwait’s “Shlonik,” and Norway’s “Smittestopp” con-tact-tracing apps. According to Amnesty International, these apps are amongst the most alarming mass surveillance tools on the market because they all continuously record GPS data and upload that information to a central server [1].Such a poor outcome implies that privacy was most likely not considered at the beginning of the project. For example, was

a privacy specialist part of the initial design team? Was the team trained on privacy preservation principles?In order for a contact-tracing system to be effective, once an individual is confirmed to be infected, it must be able to iden-tify everyone with whom the individual was in contact from the time he or she was first infectious. For COVID-19, this period has been empirically determined to be 14 days before the onset of symptoms [21]. Therefore, the ideal contact-trac-ing system would have a data retention period of 14 days and a data retention policy that purges all data after its period of utility has expired.

The ideal contact-tracing system would be designed around privacy, both technically and organizationally. An open source project, for example, would allow third parties to ver-ify the privacy-preserving guarantees of the system by ana-lyzing the source code. Recruiting the open source software community to contribute also has the added benefit of im-proving the code quality and reducing the likelihood of vul-nerabilities. Privacy experts could participate in requirements gathering, design, testing, and implementation.

Principle 2: Privacy as the default settingWe can all be certain of one thing—the default rules! Pri-vacy by Design seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. If individuals do nothing, their privacy still remains intact. No action is required on the part of individuals to protect their privacy—it is built into the system, by default [7].

In response to the pandemic, Apple and Google partnered to offer a privacy-preserving exposure notification API. This system periodically generates random IDs on each device, which are then saved to other devices in range via Bluetooth.

November 2020 | ISSA Journal – 13

Privacy-Preserving Contact Tracing | Richard Abrich and Gary S. Chan

www.issa.org

l

l

l

l

l

Members Join ISSA to:Earn CPEs through Conferences and Education

Network with Industry Leaders

Advance their Careers

Attend Chapter Events to Meet Local Colleagues

Become part of Special Interest Groups (SIGs) that focus on particular topics

Join Today: www.issa.org/joinRegular Membership $95* (+Chapter Dues: $0-$35*)

CISO Executive Membership $995 (Includes Quarterly Forums)

*US Dollars /Year

ed on as an add-on, after the fact. The result is that privacy becomes an essential component of the core functionality being delivered. Privacy is integral to the system, without diminishing functionality [7].

The underlying premise of location-based exposure notifi-cation apps requires that every smartphone uploads its GPS coordinates to the app creators’ servers. Once installed, apps that upload location information to a centralized location (like Bahrain’s “BeAware Bahrain,” Kuwait’s “Shlonik,” and Norway’s “Smittestopp”) are in clear violation of this prin-ciple.Furthermore, any system that aggregates sensitive data in a centralized server has potential for abuse, regardless of whether that data includes geolocation information. Accord-ing to University College London Faculty of Law’s Dr. Mi-chael Veale:

One of the major concerns around centralization [of contact-tracing technology] is that the system can be ex-panded, that states can reconstruct a social graph of who-has-been-close-to-whom [13], and may then expand pro-filing and other provisions on that basis. The data can be co-opted and used by law enforcement and intelligence for non-public health purposes ... [15].

The IDs of users confirmed to have COVID-19 by a public health authority are distributed to all enabled devices via a centralized server [9]. Importantly, the user’s infection status is not shared automatically [13]. This means that, even if a user is confirmed to have COVID-19, his privacy is preserved by default.Apple and Google’s APIs are disabled by default [14][17], meaning that no information is collected by apps built on them without explicit opt-in by the user. However, users do receive a push notification prompting them to enable it [16]. This can be problematic if users agree without fully under-standing what they are agreeing to. Unfortunately, this is of-ten the case: In a study involving two thousand US consum-ers, 91 percent of them consented to legal terms and services conditions without having read them [6]. Still, Apple’s and Google’s apps adhere to this principle of making privacy its default setting.

The ideal contact-tracing system would have an explicit opt-in and would be implemented so as to minimize the possibili-ty that the user’s consent is provided by accident.

Principle 3: Privacy embedded into designPrivacy by Design is embedded into the design and archi-tecture of IT systems and business practices. It is not bolt-

www.ISSAEF.org

2020 Year-End Appeal – Giving Tuesday

One of the greatest pleasures of serving the ISSA Ed-ucation Foundation is the opportunity to interact with our donors who are com-

mitted to the betterment of our indus-try and its membership, especially those who are just entering the field, ripe with potential and ambition for themselves and for the profession.Since its inception in 2007, the not-for-profit ISSA Education Foundation has offered scholarships in the cybersecurity field, with nearly $10,000 awarded in 2020 to three students in support of their education in infor-mation security.This has only been possible in part through generous dona-tions from supporters like you and that's why we’re reaching out to urge you to please consider a contribution towards the Foundation scholarship fund. You can make your tax-de-ductible donation online at issaef.org or via check made out to ISSA Education Foundation. Giving Tuesday is on December 1st this year, and we all have an opportunity for giving back. Your gift today in any amount will have a lasting impact on the career of a cyberse-curity up-and-coming individual, and we encourage you to support the ISSA Education Foundation with as generous a donation as you can afford.

Seeking volunteers for scholarship committeeThe Foundation is looking for cybersecurity professionals to volunteer on the upcoming 2021 scholarship review commit-tee. Are you interested in paying it forward? We need your assistance in evaluating scholarship applicants for the 2021 scholarships. Reviews will begin starting June 2021. Please contact volunteer@issaef.org and let us know your interest and background.

Support us while shoppingHelp spread the word about these great opportunities to your friends and fam-ily at no cost to you – just use Amazon Smile while shop-ping online and automatically and with absolutely no cost to shoppers a 0.5 percent of eligible purchases will be donated by Amazon to our scholarship fund! It’s simple: start the pur-chase on https://smile.amazon.com, select “ISSA Education and Research Foundation Inc." (needs to be done only the first time), and shop as usual. Do not forget to tell your family/friends to do the same. We are seeking volunteers to participate in short-term proj-ects, scholarship publicity, fundraising, and governance of the Foundation. Those interested in joining a truly dedicated and enthusiastic group, please send an email with your back-ground to volunteer@issaef.org.Like us on Facebook and LinkedIn.

ISSA Educa-tion Foundation

14 – ISSA Journal | November 2020

Privacy-Preserving Contact Tracing | Richard Abrich and Gary S. Chan

mation to a centralized server, along with the user’s identity. Apple’s and Google’s exposure notification APIs address this problem by replacing location information with proximity information, and replacing non anonymized user identities with cryptographically secure surrogate identifiers.

However, even cryptographically secure ones like those built on Apple’s and Google’s APIs only work if they can upload data to a centralized server. This flaw can be remedied by re-placing the centralized storage model with a decentralized one that is not owned by Apple or Google (e.g., on-premise hosting) such that data ownership is distributed between in-dependent organizations.

Principle 5: End-to-end security—full life-cycle protection

Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire life cycle of the data involved—strong security measures are essential to privacy, from start to finish. This ensures that all data are securely retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, Privacy by Design ensures cradle-to-grave, secure life-cycle management of information, end-to-end [7].

A contact-tracing application that implements end-to-end security should implement encryption for data at rest and in transit. Furthermore, Apple’s and Google’s APIs replace user identities with cryptographically secure surrogate IDs:

To strengthen privacy, this protocol leverages a new con-cept—Bluetooth pseudo-random identifiers, referred to as rolling proximity identifiers. Each rolling proximity identifier is derived from a rolling proximity identifier key, which is in turn derived from a temporary exposure key and a discretized representation of time. The rolling proximity identifier changes at the same frequency as the Bluetooth randomized address, to prevent linkability and wireless tracking. Nonuser identifying associated encrypt-ed metadata is associated with rolling proximity identifi-ers. The broadcast metadata from a user can only be de-crypted later when the user tests positive [12].

Any contact-tracing application may contain a software vul-nerability that serves as a potential attack vector by which an adversary might collect sensitive information about the user. For example, a vulnerability in Qatar’s EHTERAZ con-tact-tracing app allowed cyber attackers to access the name, national ID, health status, and location of more than one mil-lion users [2].Code for the ideal contact-tracing system must be written with security in mind from day one. It should be obfuscated and minified so that it cannot be reverse engineered. It should be tested repeatedly so as to expose bugs, which should be fixed promptly. The code should be designed so that it is easy to update and patch, and should use code hardening and code signing.

We need to be proactive about privacy management, and one way to do that is to identify features that should not be used. This includes GPS tracking and a central server that contains personally-identifiable information (PII).Other exposure notification apps, like those built on Apple and Google’s exposure notification APIs, use cryptographi-cally secure surrogate identifiers, which theoretically alle-viate the most egregious privacy violations. But even these report usage data back to their parent companies [5].In May 2020, a group of European privacy experts published “Decentralized Privacy-Preserving Proximity Tracing.” Their system uses a centralized server that is “untrusted with re-gards to protecting users’ privacy” and provides the following benefits [18]:• Ensures data minimization . The central server only ob-

serves anonymous identifiers of COVID-19 positive users without any proximity information. Health authorities learn no information except that provided when a user reaches out to them after being notified by the app of ex-posure to a known COVID-19 case.

• Prevents abuse of data. As the central server receives the minimum amount of information tailored to its require-ments, it can neither misuse the collected data for other purposes, nor can it be coerced or subpoenaed to make other data available.

• Prevents tracking of users. No entity can track users that have not reported a positive diagnosis. Depending on the implementation chosen, others can only track COVID-19 positive users in a small geographical region limited by their capability to deploy infrastructure that can receive broadcasted Bluetooth beacons.

• Dismantles gracefully. The system will dismantle itself after the end of the epidemic. COVID-19 positive users will stop uploading their data to the central server, and people will stop using the app. Data on the server and in the apps is removed after 14 days.

Can we do better? Removing the requirement for individuals to always be carrying a computing device removes the possi-bility of personal information being collected altogether. This has the added benefits of reducing friction to adoption and avoiding errors caused by individuals not having a device on their person (or at all). We will talk more about this later.

Principle 4: Full functionality—positive-sum, not zero-sum

Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” man-ner, not through a dated, zero-sum approach, where un-necessary trade-offs are made. Privacy by Design avoids the pretense of false dichotomies, such as privacy vs. se-curity, demonstrating that it is possible to have both [7].

As we have established, a major flaw with some exposure no-tification applications is the fact they upload location infor-

November 2020 | ISSA Journal – 15

Privacy-Preserving Contact Tracing | Richard Abrich and Gary S. Chan

Every unit of data exchanged in the app must be encrypted so that even if the data is stolen, there’s no way for it to be read and misused. Any third-party libraries should be thoroughly tested before being used. These should only be used via con-trolled internal repositories, and policy controls should be exercised during acquisition to protect from vulnerabilities within the libraries.

The ideal contact-tracing app should not cache authorization information for third-party APIs locally so as to avoid poten-tial loopholes for attackers to hijack privileges, and should instead use server-side authorization for maximum security.

The ideal contact-tracing app should abide by the principle of least privilege and should not request for permissions that it does not need, such as access to the user’s contacts.

Securing software is a never-ending process, as new threats are constantly emerging. The ideal contact-tracing app should be developed by an organization that invests in pen-etration testing, threat modeling, and emulation for vulnera-bility testing. It may also use static (code) scanners to identify and remove common coding patterns that lead to security vulnerabilities. In addition, it should be periodically audited and subjected to penetration testing. This applies to the client application as well as to any related server code: data must be

kept confidential, and its integrity must remain intact, with-out any unauthorized modification.

Principle 6: Visibility and transparency—keep it open

Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact operating according to the stated promises and ob-jectives, subject to independent verification. Its component parts and operations remain visible and transparent, to us-ers and providers alike. Remember, trust but verify [7].

A significant problem with current exposure notification apps is that they use a central server in order to broadcast the identities of infected individuals to the rest of the network. This is also true for cryptographically secure ones. Apple and Google collect and store information on their private servers, which nobody else has access to. Because of this architecture, it is difficult for the public to audit and verify what data is collected and that the data is used in a manner that is priva-cy-preserving. Aside from trusting Apple and Google, there would be no way for an independent third party who does not have inside access to verify that data is securely destroyed after its period of utility has expired.

In the ideal contact-tracing system, claims related to privacy must be verifiable by third parties. Making the software open source further improves visibility and transparency.

Principle 7: Respect for user privacy—keep it user-centric

Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its compo-nent parts and operations remain visible and transparent, to users and providers alike. Remember, trust but verify [7].

Every aspect of the ideal contact-tracing system’s design must be motivated by the ultimate goal of preventing COVID-19 outbreaks at scale. No aspect of the system can exist without an explicit and direct path back to this central goal. This in-cludes things like collecting usage data that is not necessary for contact-tracing purposes.

The ideal contact-tracing system would also include an in-tuitive user interface focused on privacy, allowing users and administrators to monitor privacy-sensitive information, like data retention and privacy violation complaints as well as privacy settings. The terms and conditions would also be writ-ten in a way that is easy to understand by the average user who does not have a law degree.

A Proposed SolutionIn the preceding sections, we introduced Privacy by Design principles and explored the degree to which they are present in existing contact-tracing solutions. Along the way, we also suggested some privacy properties of the ideal contact-trac-

5-minute preview of webinar

Quantitative Risk with FAIR (Security and Privacy)

60-minute Recorded Event: September 17, 2020 10 a.m. US-Pacific/1 p.m. US-Eastern/6 p.m. London

In this webinar, participants will be introduced to FAIR (Factors Analysis of Information Risk), a quantitative risk analysis methodology originally conceived of for analyzing information security risk. Participants will learn the basic concepts behind FAIR and be introduced to distinctions relevant to doing quantitative analysis of privacy risk versus security risks.

Moderator: R. Jason Cronk – Privacy and Trust Consultant, Foryte Web Services, Inc.Speaker: Donna Gallaher – CEO and President, New Oceans Enterprises, LLC

CLICK HERE TO VIEW FULL WEBINAR

16 – ISSA Journal | November 2020

Privacy-Preserving Contact Tracing | Richard Abrich and Gary S. Chan

In this way, we have designed and incorporated privacy and security elements into a privacy-preserving contact-tracing system that allows organizations to be proactive about pre-venting COVID-19 outbreaks in their facilities.

ConclusionContact-tracing will continue to be an important tool for public health officials to prevent the spread of COVID-19. To support this effort, governments and companies have been building technology solutions to be used at scale. We applied the seven Privacy by Design principles to identify pitfalls of widely-used technology solutions with respect to privacy and propose a different approach to contact tracing that preserves individual privacy. Our solution meets strong privacy princi-ples, thereby increasing individuals’ willingness to adopt the technology. It also gives businesses peace of mind that they are compliant with privacy laws and regulations, like GDPR, while keeping customers and employees safe.

References1. Amnesty International. “Bahrain, Kuwait, and Norway Con-

tact-Tracing Apps Among Most Dangerous for Privacy” – https://www.amnesty.org/en/latest/news/2020/06/bahrain-ku-wait-norway-contact-tracing-apps-danger-for-privacy/.

2. Amnesty International. “Qatar: Contact-Tracing App Securi-ty Flaw Exposed Sensitive Personal Details of More Than One Million” – https://www.amnesty.org/en/latest/news/2020/05/qatar-covid19-contact-tracing-app-security-flaw/.

3. Bengio, Yoshua, et al. “The Need For Privacy with Public Digital Contact-Tracing during the COVID-19 Pandemic,” The Lancet – https://www.thelancet.com/journals/landig/article/PIIS2589-7500(20)30133-3/fulltext.

4. Bode, Molly, et al. “Contact-Tracing for COVID-19: New Considerations for Its Practical Application,” McKinsey & Co. – https://www.mckinsey.com/~/media/McKinsey/Industries/Public%20and%20Social%20Sector/Our%20Insights/Contact%20tracing%20for%20COVID%2019%20New%20considerations%20for%20its%20practical%20application/Contact-tracing-for-covid-19-new-consider-ations-May-2020.pdf.

5. Brandom, Russell. “Apple and Google Announce New Au-tomatic App System to Track COVID Exposures,” The Verge – https://www.theverge.com/2020/9/1/21410281/ap-ple-google-coronavirus-exposure-notification-contact-tra-cing-app-system.

6. Cakebread, Caroline. “You're Not Alone, No One Reads Terms of Service Agreements,” Business Insider – https://www.businessinsider.com/deloitte-study-91-percent-agree-terms-of-service-without-reading-2017-11.

7. Cavoukian, Ann. “Privacy by Design: The 7 Foundational Principles,” The Information & Privacy Commission, On-tario, Canada – https://www.ipc.on.ca/wp-content/up-loads/resources/7foundationalprinciples.pdf.

8. Cha, Sangmi and Smith, Josh. "South Korea Promises More Privacy As It Tracks Contacts of New Coronavirus Cas-

ing system. Combining these concepts and considerations, what might the ideal privacy-preserving contact-tracing solu-tion look like?Some of the most successful contact-tracing efforts have been in South Korea and Singapore. One of the key methods em-ployed by public health authorities in these countries that others have so far largely ignored is the systematic review of security camera footage [8][19]. By watching videos record-ed by standard CCTV cameras that are often ubiquitous in private and public spaces alike, contact tracers in these coun-tries are able to pinpoint which individuals were exposed to known COVID-19 cases and can do so without having to rely on fallible human memory. What obviously fails here is that the system does not adhere to PbD principles, since the video data is cross referenced with location and identity informa-tion from cell phones.But what if a contact-tracing system that takes advantage of CCTV footage could also be privacy preserving? What if there were an open source software tool developed by inde-pendent security experts that analyzes data from existing se-curity video systems to identify individuals who have been exposed to one another?This system would not require that individuals carry a smart-phone with them at all times. Instead, users would be invit-ed to opt-in (e.g., by scanning a QR code with their camera app). This would provide the system with their contact infor-mation, along with explicit consent that they are interested in being notified if they are exposed to COVID-19. With so many steps, it would be almost impossible for an individual to accidentally opt-in.This system would include comprehensive documentation to make it easy for organizations to deploy it within their facil-ities. Distributing the hosting in this manner, in turn, would prevent data from being aggregated in a single source, there-by mitigating the privacy implications of a security breach. And being open source, the code would be auditable by inde-pendent third parties. The knee-jerk reaction to the notion of video-enabled con-tact tracing is often one of suspicion, and rightly so. However, if implemented in the manner we have suggested here, such a system may not only be the most effective contact-tracing technology, it may also be the most privacy preserving.The team designing and implementing the system would in-clude a privacy specialist from the beginning. It would create and clearly advertise a privacy hotline to allow users to report privacy concerns and violations so that they can be promptly addressed. The company would have a comprehensive priva-cy policy that is easily understood by the average user, and it would adhere to the GDPR and Privacy Shield framework, the EU-US and Swiss-US system administered by the US De-partment of Commerce's International Trade Administration (ITA). Protocols would include regular vulnerability scan-ning of the application and any infrastructure on which it de-pends. All data would be encrypted in transit and at rest. The code itself would use only secure libraries and trusted APIs.

November 2020 | ISSA Journal – 17

Privacy-Preserving Contact Tracing | Richard Abrich and Gary S. Chan

13. Google. “Exposure Notifications: Frequently Asked Ques-tions” https://covid19-static.cdn-apple.com/applications/covid19/current/static/contact-tracing/pdf/ExposureNotifi-cation-FAQv1.2.pdf.

14. Google. “Use the COVID-19 Exposure Notifications System on Your Android Phone” – https://support.google.com/an-droid/answer/9888358?hl=en-GB.

15. Lomas, Natasha. “EU Privacy Experts Push a Decentralized Approach to COVID-19 Contacts Tracing,” Tech Crunch – https://techcrunch.com/2020/04/06/eu-privacy-experts-push-a-decentralized-approach-to-covid-19-contacts-trac-ing/.

16. Muoio, Dave. “Apple, Google's Contact-Tracing Update Streamlines User Enrollment, Asks Less of Public Health Developers,” Mobile Health News – https://www.mobi-healthnews.com/news/apple-googles-contact-tracing-up-date-streamlines-user-enrollment-asks-less-public-health.

17. Potuck, Michael. “How to Manage COVID-19 Exposure Notifications on iPhone,” 9to5 Mac –https://9to5mac.com/2020/09/01/how-to-turn-on-off-covid-19-contact-tracing-iphone-ios/.

18. Troncoso, Carmela et al. “Decentralized Privacy-Preserving Proximity Tracing” –https://github.com/DP-3T/documents/blob/master/DP3T%20White%20Paper.pdf.

19. Vaswani, Karishma. “Coronavirus: The Detectives Racing to Contain the Virus in Singapore,” BBC News – https://www.bbc.com/news/world-asia-51866102.

20. Wong, Vincent et al. “Beyond Contact-Tracing: Commu-nity-Based Early Detection for Ebola Response,” PLOS – http://currents.plos.org/outbreaks/index.html%3Fp=64648.html.

21. WHO. “Coronavirus disease 2019 (COVID-19) Situation Report - 73,” World Health Organization – https://www.who.int/docs/default-source/coronaviruse/situation-re-ports/20200402-sitrep-73-covid-19.pdf?sfvrsn=5ae25bc7_6.

About the AuthorsRichard Abrich is a machine learning sci-entist, engineer, and entrepreneur. He has built software products and led teams at top Silicon Valley startups and Fortune 500 companies and is creator of www.Contact-TracingAI.com, the open source software-as-a-service that helps businesses avoid closures by preventing COVID-19 outbreaks. He may be reached at richard.abrich@mldsai.com.Gary S. Chan is an information security management consultant who helps compa-nies build and operate their security pro-grams. He designed and deployed technology solutions to state agencies and federal pro-grams and headed the information security department of a large cap technology com-pany and a large hospital chain. He may be reached at gchan@alfizo.com.

es," Global News – https://globalnews.ca/news/6942244/south-korea-coronavirus-tracing-routes/.

9. Clover, Juli. “Apple's Exposure Notification System: Every-thing You Need to Know,” Mac Rumors – https://www.mac-rumors.com/guide/exposure-notification/.

10. EDPS. “Preliminary Opinion on Privacy by Design,” Euro-pean Data Protection Supervisor – https://edps.europa.eu/sites/edp/files/publication/18-05-31_preliminary_opinion_on_privacy_by_design_en_0.pdf.

11. FTC Report. “Protecting Consumer Privacy in an Era of Rapid Change,” Federal Trade Commission – https://www.ftc.gov/sites/default/files/documents/reports/feder-al-trade-commission-report-protecting-consumer-priva-cy-era-rapid-change-recommendations/120326privacyre-port.pdf.

12. Google. “Exposure Notification: Cryptography Specifica-tion” – https://covid19-static.cdn-apple.com/applications/covid19/current/static/contact-tracing/pdf/ExposureNotifi-cation-CryptographySpecificationv1.2.pdf

The Rise of Zero Trust in the Digital EraDecember 2 @ 1:00 pm - 2:00 pm EST (US)

Almost a decade since “Zero Trust” emerged as an approach to network security, the buzz around it is stronger than it has ever been. Zero Trust rejects the outdated idea that everything inside the internal network is safe, while everything outside it is unsafe.

The recent rise of Zero Trust suggests the time has come to completely rethink how we define trust in considering how to secure critical data and resources. But why is Zero Trust in particular gaining traction now? And is it really the best way to ensure effective security today? To answer these questions, join this session with Dave Taku – Director Product Management, RSA Identity & Access Assurance.

Generously sponsored by

CLICK HERE TO REGISTER For more information on these or other webinars:

ISSA.org => Events => Web Conferences

18 – ISSA Journal | November 2020

Privacy-Preserving Contact Tracing | Richard Abrich and Gary S. Chan