Thursday, April 16, 2020
CCC DE and Human Rights Watch Covid-19 Architecture Requirements
Here are additional requirements posted by the Chaos Computer Club
Tuesday, April 14, 2020
Looking at the Privacy-Preserving Cross-Border Contact Tracing App, Blue Trace or Tracing Together
Despite the detour here towards biological testing snafus (currently being investigated by US intelligence at the request of Trump to deflect blame on the initial handling of the containment phase) the basic point of looking at Blue Trace is what is called a "stack violation". Pinning a solution on a particular network protocol, when a good Covid-19 app solution should exist outside a specific stack like Bluetooth, (thus requiring a constant connection, bad) because it drains the battery. The other bad thing about bluetooth are it's complexity and relative ease of being hacked due to that complexity. So while it is great to hook up a Personal Area Network, or PAN from iPhone to Airpods, it is really not designed to be a WAN to handle a community. The reliance on a central server is currently an issue in the European architectures, that have forked on this issue.
Instead of "tracing together", can we individually trace based on our personal security profile?
Oh yes we can! This mirrors for many reasons how people trust each other and I am working out exactly how to do this. So while Blue Trace actually worked well, it has some preconditions of how cell phones are surveilled. This can have some long term privacy consequences which are coming out in the requirements analysis. So let's take a bit of a detour to biological weapons research in the 1960's and how it had unintended consequences of a major cultural revolution by the baby boomers, and even more recent research regarding psychological coping with disease and death as well as interesting spins on creativity in writing computer code in Silicon Valley.
In a recap, epidemiologists and policy makers developed a general response plan here in the US, but the idea of biological threat modeling is fairly old (actually historic) and was also tied up in a nasty project where the CIA destroyed a great deal of the files known as MKULTRA. I don't intend to go entirely down the MKULTRA rat hole, it is well known. We will be sending in the rat dog however.
This MKULTRA CIA project actually happened and is not a conspiracy theory. There were significant Congressional hearings, however the full story has only come out this year.
We need to free up the covid-19 response from conspiracy theories, bolding indicates a requirment here) but rat dog will get the functional requirements that the conspiracy theory may help reveal.
Some of this is an individually controlled distributed architecture (still Covid testing lab validated) versus the centralized mechanism currently used by the CDC.
There was a demonstrated failure in the CDC centralized infection control system and communication taking place with health departments across the US. If it was working properly we would have contained the virus via isolation and contact tracing. We will return to the point fairly soon because we can't economically keep up the mitigation phase for ever. The gap is going to be filled in with a new architecture for Public Health, (and it is good to understand the history of Public Health in general and why it is different from medical care). We need to go back to Philadelphia and the Yellow Fever epidemic and how a disease interacts with politics, in this case Dr. Benjamin Rush and his tireless services to bleed people to attempt to fix the Yellow Fever, and how this spawned current disease control measures. Different diseases for which there were no actual cures resulted in different approaches based on the knowledge of medical science at that point in time.
So from that point of view, a conspiracy theory is useful in helping see long term requirements. Not so much the standardized epidemic response stages of what to shut down when. We can clearly see that a coronavirus respiratory pandemic was predicted based on a book on the 1918 Flu and a subsequent plan put into place. There have been no lack of warnings and predictions right up to the point where the country went into lock down.
It is however not entirely necessary to react or not react based on the conspiracy theory itself. The conspiracy theories are a disinformation distraction. Yet we can extract some truth from them when the centrifuge removes the political spin. The political spin is a key part of the epidemic.
The result will be essentially the same. Part of this is about power.
There's a reason for that. It is said from the POV of the local health department official that must follow very logical privacy rules.
We can go way back to the Roman Empire and Cicero to explain how this works.
It is entirely germane to the use case.
It relates to the nature of the concept of "official".
Official and the concept of office involves the nature "of return" where people would return to a spot to make decisions. In this case a "return" to normal. Yet the virus is a change agent, and things don't entirely return to normal, they are changed, hopefully for the better. As such there is a very tragic price to be paid, like a war.
This is the economic side of the theory and architecture. It is not exactly a return for everyone, it is a return for the officials.
Official actions results in ways to do things, that are codified.
There are well understood rules. For example, stay indoors.
The way the data flows, Public Health has no need to deal with individuals in general versus populations. The doctors and hospitals deal with the specific individuals.
So public health has a codified approach to privacy.
That's why they won't name individuals.
The non-official data stream is different. We know who we are, whom we deal with in different personal and business relationships and we know where we have been. Prior to lockdown we were moving around a lot. Sometimes all over the world. And there was no previous testing before getting on a plane, or taking a vacation, renting an AirBnb, or staying at a hotel.
Economically all those relationships became non-liquid, like the stock market in 2008. People no longer knew what was what. So what does the Public Health official say? Treat everyone you meet and come into contact with as if they are infected. That may be possible during a mitigation or suppression phase, it will not work in a recovery phase. An individual does not make official decisions, she makes micro choices every day. That involves a bunch of personal decisions. This flexibility is required of individuals. So that person who got infected and tested positive has a moral duty to inform people in the personal chain they came in contact with, because even the official chain had little testing, and little contact tracing compared to other countries.
If you got infected while you were in Wuhan and realized a week later that you were positive, it's likely you would (if you could) reach out to whom you came in contact.
To some extent it can be ignored, a good solution can meet the requirements without the conspiracy theories, even if in fact politicians in charge of the epidemic response are incapable of escaping from the conspiracy filter bubble. So the result is not the same because the only option is quarantine. It may be the most logical result, but that will eventually have to change.
So while rat dog does his digging out of the rodents, let's see what he came up with.
John Oliver's rat erotica was down in the tunnel. Not very useful.
There are a few social aspects of a secret program that recruited various labs all over the US to test LSD on unwitting subjects to research brain washing among other things. Here is a solid requirement.
Exposure to any clinical biological trial must have informed consent.
Medical trials without informed consent were a feature of MKULTRA. It also had unintended consequences; the 1960's future society makers and designers who mentally travelled to otherwise unexplored personal experiences (that generally had been limited to religious experiences and shamans) tried to integrate their experience into redesigning society.
MKULTRA LSD medical experiments regarding mind control (that put some prisoners on an every day quadruple dosage for months on end) at the same time not only spiked the collective punch of the 1960's counter culture, but also the music of the highest grossing rock band with a legion of followers, as well as the technology and culture of Silicon Valley.
What was originally an experiment without consent migrated to a sometimes voluntary social experiment in the 1960's that subsequently became illegal.
There were a lot of disruptive ideas in the 1960's (sort of summed up in the Whole Earth Catalog) and in 1985 later the Well, an online discussion board heavily invested in futurology.
Rights in digital/cyberspace was documented by John Perry Barlow, (tracing the whole Grateful Dead thread of ideas).
Covid-19 applications must incorporate fundamental human and legal rights which are immutable, and thus highly traceable in a legal and societal sense. In short, GDPR is still applicable.
There is nothing about a Quarantine itself that is unique to 2020 except it works more effectively on our own terms with modern tools.
Extending this to a commerce solution is an extension of NIST requirements, from Department of Commerce. Thus privacy requirements, as interpreted by technological requirements are critical.
Technological requirement in general:
Make it work on a mobile smartphone
Sub-requirement Make it work on IOT devices for those at risk who are not using a smart phone to interact
Protocol choice should be open ended but some protocols may have a PRIVACY requirement that is unique to that protocol
Computer hackers started out as cultural sub group (we can trace that back to the MIT model railroad club and Hacker jargon file) and were victims of legal harassment by the commercial enterprises of a past culture that was not "network savvy" in the 1970's Lot's of water over the dam since the 1970's bit some hacker "culture" still exists in 2020 in terms of hacking a problem like covid-19 and applying the latest technology.
Have an open source version
The FOSS GNU story is also well known. It affects security if open source developers are not sufficient, or libraries used that have security flaws that are not patched. Companies that do not contribute to FOSS may be later stung when they can not then easily upgrade their software.
This may be from either purchased, or actual open source like Apache projects. Examples are to numerous to mention, but consider web application software in Equifax, and Juniper with Heartbleed.
Thus threat modeling is an important requirement as there has been significant harm to the economy. Unlike other situations where a company can survive do a monopoly market position, or even a highly well tuned competitive position, the damage to a company can be severe if the CONSPIRACY THEORY anti-pattern is in effect. The "Deep State" conspiracy anti pattern significant hampered Federal Government covid containment efforts in Jan and Feb of 2020.
While technology from the 1970's is not all that interesting to current developers it is very important for developing a health care/commerce application such as Covid Cleared because requirements must be traceable.
50 years later we are essentially constantly on the network, and that has some risk regarding covid applications since a variety of those, such as the Google-Apple Bluetooth protocol design requires constant connection to do a different function, namely contact tracing. Contract tracing in a privacy preserving design. Opposed to text messages in South Korea (related to the TRANSPARENCY requirement)
This interaction would develop into the EFF, that promotes digital rights, privacy and technical literacy in new technology as well as legal counsel in these related issues where technology, culture, and the law have a less than perfect alignment.
Often the Venn diagram seen by hackers ends up eventually coming true, but being heavily future oriented gets them in trouble, whereas some ideas just become obvious later on. Hackers find out earlier, (and often keep that data hidden for different motivations) things in which they have developed a depth of expertise.
It is often the pioneers that get the arrows in the back, but sometimes it's also the smart investors who make out. Later we find out what economic externalities exist.
In the 1990's came the cypherpunks mailing list (I was one),that explored the grand ideas of distributed non centralized computing like digital currency.
Now we have blockchain, BTC and Ethereum smart contracts.
Of course, like the Internet, there is a certain Wild West stage until the technology and ideas underlying the technology are simply part of everyday life. We can trace this back to the 18th century Enlightenment frameworks that rode along with U.S. westward expansion, fueled by the idea that exploitations of the environment was OK. It would be far later that active conservation was deemed necessary. This is actively (environment versus economic exploitation) a requirement conflict area.
A covid application should not exploit the network as an externality.
Silicon Valley was uncanny in creating story lines around these conflicts, actual distributed computing problems mapped onto a social context.
Although the cypherpunks came later, the fact that one could disrupt and reinvent culture in a yet to be imagined future was already an American tradition going back to 1666 with Kelpius, and later implemented by the American Revolution which forged a unique identity, and simply continued to new spaces, in this case digital spaces.
Some of those test subjects such as Ken Kesey, later went back to get more government acid supplied by the CIA who had bought up the worlds supply from Sandoz, and formed the Merry Pranksters which would be the nucleus of the counter culture and the Grateful Dead acid tests.
When the government experimental supply ended they turned to their chemist friends to make it themselves, which in turn attracted more users. This was truly a dual use (military and civilian) biological experiment.
As engineers experimented with this they helped implement disruptive creative thinking, (along with parallel engineering breakthroughs in microchips) that formed an important and documented part of Silicon Valley computing development that is not very well known.
MKULTRA all came out in the 1970's regarding fears of a "Manchurian Candidate" (which is a great movie) about brainwashing soldiers captured by the North Koreans. We see that propaganda was already a well established tool in the 1930's based on Freudian concepts and modern advertising.
There is a recent book out on the MKULTRA subject, and spoiler alert, it turns out that a specific scientist working for the CIA who developed poisons, etc. wasted a lot of money and tortured and killed people at black sites to find out that essentially mind control did not work. The fears, (and essentially their covert funding) was largely based on the movie script and some people who appeared to be brainwashed.
Of course this isn't the only time that a movie plot got policy makers involved in homeland security. The movie "War Games" got Reagan interested in promoting cybersecurity more than the reported hacking of various military systems that had already occurred.
Now from the biological warfare aspect, they also studied the effect of bacteria spread in the NYC subway, only this was the U.S, Army and on board ships, the Navy.
This article cites the basic problem, also present in the covid-19 use case.
This is the ethical problem of exposing people to risks in terms of biological agents without their consent. The soldier volunteers that participated at Fort Dietrich are somewhat a different story and somewhat the same story because Fort Dietrich is part of the covid research.
Informed Consent as a requirement
How much does the app click wrap contract actually inform you? This is the basic lie. You want to listen to music on your iPhone. Apple asks you to read and acknowledge a 44 page contract on a little screen. So you thoroughly read it and ask your lawyer about any parts you don't understand like a rational person right? Of course not.
You lie and that little lie is the start of something very pernicious about your privacy because, although you agreed to get access to a service, and they presented you with the legalese, you really were not informed.
You were hoping it would just be pro forma and you could ignore the consequences. The point is to listen to music, and not get hung up on the legalese. Just like it was the point of blowing off some steam on spring break at Cabo, again not entirely understanding the consequences, or Mardi Gras.
Note this is a part of what Shoshana Zuboff states is a critical way of wearing down your defenses against electronic abuse.
You want the cool stuff, so you ignore the legal stuff.
Logically that person has been shown a contract but as consent is "informed" it implies some understanding of the consequences.
Kyle is so exited about getting an Apple device 9 years ago that he ignores the part about reading the contract like all of us. The results are tragic comedy.
This is doubly true in the covid-19 pandemic. Different architectures will have different consequences. Uber used to demonstrate "God" mode at launch parties. People at the parties didn't want to talk about, riders who found out they were being tracked were upset. Now tracking the ride is a security feature and "God" mode is supposed to be gone.
Only South Park could have come up with the Human Centipad idea in the terms and conditions and done it with such an amazing lack of good taste, but the point is clear.
By the time that any of the Tech giants make it to the FTC, the damage is already done and the privacy genie can't be put back in the bottle.
So absolutely privacy has to be built in. That means clear requirements.
So how did Bluetrace do this? This is the opensource contact tracing app called Tracing Together.
The FOSS is at "opentrace-community" on GitHub. They did it using a specific form of technology known as bluetooth beaconing. Your health test status is uploaded to their servers and delivered to phones that are running the protocol when you are within a bluetooth distance. Korea did this with text messages because they geolocate every smart phone in the country in real time.
We need to backtrack a bit here in the requirements analysis to reiterate that pandemic response works in a very predictable (that's how planning documents work) set of stages.
1. Containment "Contact trace and isolate"
2. Mitigation "Community spread, so "flatten the curve of hospital resources"
3. Suppression "Shut as much down as possible, stay at home, (especially those at high risk) and don't go out until the RT naught is less than one, indicating that community spread is over.
4. Some combination of the first 3 in different places with hot spots still lingering and other places the virus is under control and not overwhelming healthcare. At stage 4 and ideally stage 1, testing is very important for the data modelers.
The old 19th century approaches from maritime culture were strictly quarantine from geographic area to area, wait out the possible disease until someone was healthy or dead and avoid that element from entering into your environment.
Understand how the disease affects different social classes who may have difficulty being in quarantine on a social (like to blow off steam from intense study by going to Cabo), or the affluent go to the summer home in the Hamptons or Cape Cod, travel to conferences, or the middle class, take a cruise.
Or go to a 1918 War Bonds Parade in Philadelphia, all with different social interactions.
It should now be clear that the different stages of the pandemic map to the risk, and the risk maps to the app and the apps maps the permissions between health authority and the rights of the individual to do their tasks on a micro level, versus the macro level of "stay at home'.
The application of all these tools at the right moment in time is key to the best resolution. The virus is on a timeline.
Having Mardi Gras, bad idea for the French Quarter. Understanding the 1918 Philadelphia war bonds rally versus the results of other cities? Priceless.
Since this exists on the virus time line, communicating good data in regards to who is infected or positive is very important. How that is distributed?
All the data is important, but it is only useful at different points of the epidemic.
To the extent that the appropriate agencies from local to state to federal communicate the right data at the right time, accurately is critical. Typically this might be thought of goals by the various stakeholders.
Each stage has different requirements and different actions as applied in different places.
Since Ski areas with mountains attracted a great deal of well off covid positive visitors , but also have limited healthcare for the year long residents, it made sense to test the entire area of Telluride to find asymptomatic positives. That's a very specific risk profile.
The NBA got tested because they make a lot of money by packing people into basketball courts, a perfect virus opportunity.
Lurie of the Eagles donated a million dollars to Penn virus research, not only a great civic gesture, but also a great investment since that's one more day closer to opening Lincoln Financial Field by having vaccines and serological testing.
Good requirements analysis quickly arrives at the point where the system has either intentional (or worse unintentional) tradeoffs and seeks to avoid those tradeoffs.
So in a nutshell it is not security versus privacy as a tradeoff. Doing a privacy preserving architecture like Google and Apple have attempted definitely takes this into account.
It is not security or privacy, this is a false dichotomy.
It is not security layered on top of software to provide secure code.
It is clearly security in the entire stack from the smallest elements to the upper layers where policy can then be applied.
So the policy to mitigate is different from containment. The focus is on the population at that point and community spread, not in contact tracing.
Containment is about contact tracing the original 5 infected people in a country (or more depending on how many contact tracing teams you have at your disposal) and who they came in contact with.
This is great at the very beginning and end of the pandemic.
Isolate the infected and inform the contacts.
We all know that Patient 31 in South Korea was a very determined super spreader, going out to lunch while having a fever, not voluntarily quarantining, going back and forth to the hospital and going to her church which ended up being a hot spot in Daegu. It's almost apocalyptical zealotry to lead a "normal life".
How does one handle informed consent in the covid-19 architecture?
HIPAA truly makes a joke of informed consent, people have literally no idea where their medical data goes and to whom it is sold.
So being HIPAA compliant is good, but probably not sufficient since the idea of covered entities and business associates does not quite map here.
To flip the script on the virus, we need a new pattern, the empowered individual who can access and selectively make their covid test results work for them economically. Thus two requirements emerge.
Scale this so it works on the user level in a simple way.
Make the entire system function at a Capability Maturity Level of at least 3, "Defined".
There is a huge market in medical data, and while it may not come down to individual patients, the results are highly tracked.
Not always for society's benefit, sometimes simply for profit.
A book just came out pin pointing the epi-center of the Opiod epidemic to a drug store and a pill mill doctor in West VA. All the participants are in prison now, but while it was operational, the known statistics were nothing short of incredible as to why no one acted, or why they acted, but too late. Its not that the DEA did not have the data on the prescriptions, they had to be reported.
The entire industry and regulators had to realign, forced by the States who started incurring extremely high costs and of course loss of life.
A similar process is taking place with the Covid Epidemic. It is already negatively affecting the 50 States economically.
It also is greatly increasing the mortality level. If we look for historical precedent that unknowingly casts a shadow on the situation, consider the not very well known background of the Opium Wars cast in an economic perspective. We helped the British export Opium from India to China, and one should understand the context.
Technology designed to anonymize medical data for research is fairly easy to de-anonymize if not done properly, making medical privacy more difficult due to existing data existing on the Internet.
[Latanya Sweeney]
Can the covid application be reversed engineered to reveal anonymous information?
Doxxing covid positive or even those failing to socially distance is already a thing on social networks by paying attention to tagging.
So clearly technology like Zero Knowledge encryption is interesting for covid-apps.
We fairly need to come to grips with a short history of medical ethics applied to the SARS-CoV2 pandemic and how it intrinsically relates to how we construct our digital identity on line in and in our social interactions.
The app I am developing is primarily to reboot the economy (a later stage) by enabling the sharing of tests in novel ways that are good for society and the end user, and not dystopian where it becomes a convenient social media exploitation of outrage between the positive and negative, (such as the Cabo spring break fraternity doxing) clearly evidenced by the past difficult learned social considerations of the AIDS virus which initially was focused on LGTBQ groups who mustered needed attention to the crisis.
Whatever the social divisions the covid virus may create, the requirements indicate a clear technical problem in transmission between the temporarily infected positives and the as yet to be infected negative.
In addition the serologically tested immune represent some real potential. So by all means we should deeply consider and understand the ethics as we attempt to out engineer the virus's effect on the social systems.
The parts about SARS-CoV2 tracking (that are part of general HHS recommendations on internal patient data tracking) say within a specific hospital, are thought to be too difficult to implement. This gives no TRANSPARENCY and AUDITING to the end user. Hospital data should not fail during a crisis resulting in unnecessary mortality This is the logic behind the IHE ATNA protocol.
HIMSS originally focused on celebrity patients, but realized somewhat later that medical personnel were inherently nebby regarding any local tragedy, such as a football team all going crazy on bath salts.
As a result hospitals began to enforce privacy policies and employ privacy officers. In the 1950's people working in obstetrics wards would sell personal information to baby photographers of baby boomers.
Besides your neighbor (who is a doctor) looking at your medical record, there also was out and out criminal behavior of people selling data like SSN for some side money. Doctors and Nurses need to have access, and they do in general all have access. However that access does not necessarily come with authority, which is being part of the care team. This points up an important requirement.
Authorization must fit the social situation
Google-Apple contact tracing on or off is not yet sufficiently rich in this requirement of a well thought out authorization model. Authorization is hard.
The text message app in South Korea which was reverse engineered to allow users to figure out who was infected without giving protection against stigma or the accidental release of personal information.
We will see this in covid-19 applications and have already seen a high degree of use of Zoom during the epidemic, and good information on the poor security originally designed into the product.
Notably the healthcare system is one of the worst examples when it comes to data security (there are exceptions) overall, and dangerous breaches.
It's one thing to have identity theft and have to go through that, it's entirely different to be killed as a result of a medical data error.
So the original celebrity use case, say for example Tom Hanks tested positive for covid-19, has been replaced by privacy for all based on medical ethics. To the extent this is or is not properly implemented in the healthcare system depends on factors that will be raised later in terms of mitigations, patient identity, and truly getting consent. Some of these factors are only possible by the system losing some preconceptions of their own business models and moving to a post c-19 business model as part of the recovery. Logically they are using c-19 to reify their data paternalism and that of public health for factors that I describe elsewhere. Unfortunately that strategy is putting us into a depression and losing them money in the process since they need to refocus on procedures that they can bill for and not focus on immediate existential survival. It's not going to be entirely the same was we learn to adapt post epidemic. Important lessons will be learned because healthcare learns.
The general idea is that your health information should be restricted to your immediate care team, (those with a need to know) however that ignores the fact that medicine is a "helping profession" technically proficient, but also extremely social. As a result, because of the NPhard problem of assigning AUTHZ permissions (try looking into this on a Window's server)
In a nutshell we hung Nazi's for doing the "same thing" in Auschwitz in terms of informed consent even though the ideas of medical ethics were already well understood in 1930-1945 Germany, and thus developed well understood ethical code. It is not the "same thing" actually, in terms of what they did, but the lack of informed consent is the same thing.
The subway test was of course harmless, (well maybe not) but the U.S. Army had a history of testing various chemical and biological agents on their own "volunteer" soldiers.
As far as the Nazi experiments went (another historical rat hole) the similarity is that they were done without consent, were considered to be torture, and the data they obtained (such as determining survivability in cold water for downed pilots) by torturing camp victims has been well studied.
The health system here in the US has had it's own ethical lapses, forced sterilization based on Eugenics, invented here in the U.S. and later unfortunately applied by Nazis in Germany and elsewhere on a bureaucratic mass scale using the IBM punch card Hollerith machines.
Monday, April 13, 2020
I have joined the ConsenSys Health "Stop Covid-19 Hackathon" to learn what Heather and Debbie are cooking up.
My goals are to increase my blockchain knowledge regarding DID and fill in gaps regarding how this will be applied to stopping covid-19. I'm not looking at putting actual healthcare records on a public or private blockchain, something that generally seems to be a bad idea.
One functional requirement is to create a source of trust outside, but not replacing the information that Public Health is capable of delivering to end users. How does the app handle privacy?
How does it do encryption?
What type of encryption?
In terms of situational awareness of the virus, what does the end user actually need?
So given the interactions and transactions regarding Uber, a passenger who is not infected does not want to get in the car with an actively positive (and possible asymptomatic) driver. The driver does not want to pickup an actively positive rider. There is no social distancing that is practically possible in Uber-X which uses standard cars, not biocontainment modified vehicles.
The assumption here is that the driver has properly disinfected the car, and that the rider is practicing safe processes like using hand sanitizer. The spread from one passenger to the next ride is minimized.
The transmission of the virus is time dependent and can be represented as a truth table of possible infection states. Given sufficient time (based on distance) infection is guaranteed in certain scenarios and the driver who is used to algorithms setting up a path of work efficiently, can ultimately be the sole judge of who rides in her car.
Questions like is the person wearing a mask, and should I not allow anyone to ride who is not wearing a mask? Generally the logic behind these questions are far past the actual logic of the virus which can be fought via business process and algorithms combined to aid individual behavior but not to prescribe behavior, this is as the heart of an open system and difficult to architect.
Another requirement: Don't take away people's freedom and right to choose on a micro level by creating a surveillance system. Let those transactions flow with the added information needed to smoothly and easily complete the transaction with minimum resistance. At the same time let someone build it themselves if they wish. At all times align with fundamental rights already defined. Allow people to exercise those rights, and protect your own rights.
Rights are a very important part of the bedrock of commerce and standards. NIST is logically part of the Commerce Department. Therefore the Commerce Department should have a solution since they codify Identity with 800-63, and authentication (a huge Uber problem) relative to obtaining trust and truth.
This indicates a standardized approach to authentication or AuthN. At the same time we do not need to limit ourselves to a particular definition of a constraint except it makes it easier to understand the requirement. The rights are immutable, even if abused. The framework is the same, the applications are infinite. The question is at any one time how one achieves the end user goals that are hierarchical.
A practical example might be in order. The Magna Carta constrained the King by creating certain rights and standards. As such it is a fundamental resource for our American experiment. People brew and make beer. If you drink beer you want to know whether you like it, which is choice, if it is available, what is the price, and not inconsequentially how much one is consuming. If you are a conehead from 'France" that might be two six packs with a side of fiberglass. As far back as the Magna Carta it was recognized there needed to standardization in terms of beer. So they published standard amounts. Tavern keepers would often provide beer in glasses where the glass was blown or cast in a way that appeared to be larger than the actual liquid in the glass. That idea carries forward to NIST (which used to be weights and measures) and the Department of Commerce in general. Known definable quantities are required for a minimum of friction is commerce.
Literally this idea is the source of written language back to Sumerians as a form of code. One does not want to take the measure of quantities without a recourse to standard measurements. Literally this was a major breakthrough for civilization and these quantity markers became alphabets. In terms of commerce one want to "seal the contents" in certain size container, and imprint the size of the container in the jar, (like a Java Archive) and then validate a seal with some mechanism that indicates tampering. This applies equally to a modern ledger system relying on a chain of transactions and digital signatures, "stamping a coin" or minting currency, or a potter making an amphora for oil. The general concept is fairly obvious, but the extensibility of the concept is brilliant. The fact that it is your "right" to get a standard result, that PI does not change from day today, makes things much easier if they are based on math. The point is that one does not want to recalculate all the time which becomes expensive. Now apply that to covid-19, or some future virus that will emerge. The fact that we can still reuse algorithmic code from ancient Babylonia should be reassuring.
Given the multiplicity of different authentication solutions, this is in itself political.
Authentication needs to scale, is should be distributed, and it can be specific to a community of interest. It is fairly simple to identify communities of interest. Each application should be appropriate to a given community of interest. That acts as a constraint. The architecture needs to valid at the national scale, (because this has been made political), defined classically as competition of scarce resources, made extremely evident in the covid response crisis. It is not clear that the government has been effective in allocating scarce resources like PPE and Ventilators. Can it also break a covid-19 application by requiring a panoptic power layer? One can think of a panoptic power layer as an amplifier. Access to rtPCR testing has been up to this point difficult. This will change. Access to serological testing is about to open up substantially, since it does not require the amplification of the RNA converted to DNA and then sent to LabCorp etc for analysis, or originally to the CDC.
This testing scarcity change is at the heart of my specific use case which in turn lights up the U.S. economy in a very traceable way from the requirements.
Note that the Uber Pool option was logically suspended during the epidemic which would have greatly increased risk.
Looking at the judges like Brian Behlendorf, of Apache, and specifically Hyperledger in this case, I know he has deep expertise in the subject matter of health IT. In fact all the judges look to extremely well qualified in this common quest.
My general architecture is scoped out.
Right now I am getting DID to work on blockchain as a source of Identity. I'm interested to see how that scales and exactly the details. Currently running a Microsoft protocol on top of BTC for the prototype using a hierarchical deterministic wallet which looks like it will handle some of the thornier issues related to flexibility in assigning keys.
As far as the requirements analysis goes, the ID2020 considerations look to be good at first glance.
The US centric Uber "super spreader" perfect storm use case I am working on is constrained to having a smartphone, whereas in an International context that cannot be assumed. It should be noted that app solutions do not have to be International in scope and there is a wide variety on how different countries treat SARS-CoV-2 transmission, given there are some standard epidemiological models which should be briefly outlined in terms of National versus International solutions.
The initial phase, containment involves dealing with individuals (coming from an infected area) and determining via symptoms whether they are infected. This has been the age old approach since the lazarettos from 1592 to 1936. Essentially forced quarantine for travelers, from a Zen standpoint, a gateless gate. It was common to spend 3 weeks in quarantine coming from the Mideast to Europe. Philadelphia welcomed immigrants and as a result established a large quarantine complex on the Delaware River
One can not be a Uber driver without the ability to run the Uber app, because fundamentally Uber does not considers itself to be a transportation company, they consider themselves to be a technology platform. Thus, due to the algorithms, AI, offshore support, etc. it makes sense to address the problem via the API, and thus solve some of the UX issues. They may at any point integrate any idea into their app. Of course then, this does not apply to rideshare in general, or the problems of gig workers in general. So from a scalability context, whatever works for Uber argues a separate app, a "sidecar" that both driver and passenger can use, with potential integration into the Uber API.
Nice!
Picked up my first hacker attempting to spoof the Covid Cleared blog.
As far as the "hacker" goes, it is a particular form of hacking that falls into social engineering and works using DNS.
Basically how does someone know they have reached the correct web page?
This is a problem we explore in the CAB forum for browsers and certificate authorities. It relates to the confidence that the "relying party" has that another identity is legitimate and not being spoofed.
This is done via a DNS lookup, and perhaps a web search before that lookup which has made search engines very popular since they were first introduced.
How one knows what is on the other side of an Internet connection involves different steps of verification. In general one connects to the website and is presented a digital certificate, how that certificate is built and listed is my area of expertise. Generally we have made it very easy to do, and free using the ACME protocol.
DNS is just part of that, and a relatively weak part. From the beginning, it was meant to be a handle, not a front end to a complex backend. Now with services, almost anything can be done on the web.
Yet DNS squatting is profitable. Or simply being first to register a good domain name.
There are of course more secure alternative ways of doing this. Different approaches to naming and numbering on the Internet.
Dating back to the original proposal for expanding the Internet from academic usage to commercial usage around 1993.
If you look at Lauren's web page it also has a little icon for the Scout Report, a concept of quality web sites and resources that came out of the same 1993
Funding from the National Science Foundation that included the X.500 Directory.
Keep in mind when Matt Blaze eventually sold crypto.com, it was purchased for millions.
Vortex.com, one of the oldest domains, (easily in the first hundred), was registered by Lauren Weinstein before the Internet was even fully using DNS.
The registration was processed and put on the manual hosts.txt list by Marty Schoffstall of PSINet. Domains used to be free. Yet not so easy to register. I have registered a bunch of domains, from entire countries, to newspapers like the Washington Post, to very specialized government authorities that span two states. The DNS system can accommodate all that. I also was asked to negotiate the first domain purchase.
Since Covid Cleared is simply a generic name on the Internet, it is possible to 'typosquat" and register a variant, using a different TLD. It's not really hacking per se, unless some other things happen.
A secondary market for domain names was not originally anticipated since there was no actual "semantic link" between monster.com and Monsters Inc., or Famous Monsters from the 1950's. Disney has a lot to do with our current copyright situation.
Thus one ends up registering not only the domain you want, but often other "protective" domains using different TLDs. For a new unique domain that you like, that is not already used, expect to pay 12-20 $. Different registrars will charge a different price.
Companies that provide domains profit on each one. And obviously the renewals.
They provide secondary markets to facilitate buying a domain name on a popular subject. Having a domain on a "subject" can be profitable.
The thing is there has been an explosion of customized TLD from the original set. Thus one maps a domain name, or email address into an X.509 digital certificate that uses the domain name as part of the certified content, or attributes.
One CTF point on the application security track regarding the UX.
The browser correctly reported it and failed with the following error message
DLG_FLAGS_SEC_CERT_CN_INVALID
That would be *.parkingcrew.net in the common name in terms of the CTF.
However the DNS query is manipulated, (and there are many possible ways that can be done) your browser will typically do an entirely separate check to see if that certificate is actually valid in terms of the root certificates that you trust. This is a certificate chain. Since the DNS and the common name did not agree, it thru an error.
It does this via the certification path.
In this specific case it chains up to Digicert's Global Root G2 root, and the certificate for anything at the domain parkingcrew.net whows as valid, but pinning the DNS to my blog to that results in the browser throwing the certificate invalid error.
From a UX perspective, it is not a good idea to accept that certificate and the software does the right thing but how many users will ignore this and click through at their own peril?
In general this can point to the difference between DNS and X.500/LDAP and where things can go wrong.
Picked up my first hacker attempting to spoof the Covid Cleared blog.
As far as the "hacker" goes, it is a particular form of hacking that falls into social engineering and works using DNS.
Basically how does someone know they have reached the correct web page?
This is a problem we explore in the CAB forum for browsers and certificate authorities. It relates to the confidence that the "relying party" has that another identity is legitimate and not being spoofed.
This is done via a DNS lookup, and perhaps a web search before that lookup which has made search engines very popular since they were first introduced.
How one knows what is on the other side of an Internet connection involves different steps of verification. In general one connects to the website and is presented a digital certificate, how that certificate is built and listed is my area of expertise. Generally we have made it very easy to do, and free using the ACME protocol.
DNS is just part of that, and a relatively weak part. From the beginning, it was meant to be a handle, not a front end to a complex backend. Now with services, almost anything can be done on the web.
Yet DNS squatting is profitable. Or simply being first to register a good domain name.
There are of course more secure alternative ways of doing this. Different approaches to naming and numbering on the Internet.
Dating back to the original proposal for expanding the Internet from academic usage to commercial usage around 1993.
If you look at Lauren's web page it also has a little icon for the Scout Report, a concept of quality web sites and resources that came out of the same 1993
Funding from the National Science Foundation that included the X.500 Directory.
Keep in mind when Matt Blaze eventually sold crypto.com, it was purchased for millions.
Vortex.com, one of the oldest domains, (easily in the first hundred), was registered by Lauren Weinstein before the Internet was even fully using DNS.
The registration was processed and put on the manual hosts.txt list by Marty Schoffstall of PSINet. Domains used to be free. Yet not so easy to register. I have registered a bunch of domains, from entire countries, to newspapers like the Washington Post, to very specialized government authorities that span two states. The DNS system can accommodate all that. I also was asked to negotiate the first domain purchase.
Since Covid Cleared is simply a generic name on the Internet, it is possible to 'typosquat" and register a variant, using a different TLD. It's not really hacking per se, unless some other things happen.
A secondary market for domain names was not originally anticipated since there was no actual "semantic link" between monster.com and Monsters Inc., or Famous Monsters from the 1950's. Disney has a lot to do with our current copyright situation.
Thus one ends up registering not only the domain you want, but often other "protective" domains using different TLDs. For a new unique domain that you like, that is not already used, expect to pay 12-20 $. Different registrars will charge a different price.
Companies that provide domains profit on each one. And obviously the renewals.
They provide secondary markets to facilitate buying a domain name on a popular subject. Having a domain on a "subject" can be profitable.
The thing is there has been an explosion of customized TLD from the original set. Thus one maps a domain name, or email address into an X.509 digital certificate that uses the domain name as part of the certified content, or attributes.
One CTF point on the application security track regarding the UX.
The browser correctly reported it and failed with the following error message
DLG_FLAGS_SEC_CERT_CN_INVALID
That would be *.parkingcrew.net in the common name in terms of the CTF.
However the DNS query is manipulated, (and there are many possible ways that can be done) your browser will typically do an entirely separate check to see if that certificate is actually valid in terms of the root certificates that you trust. This is a certificate chain. Since the DNS and the common name did not agree, it thru an error.
It does this via the certification path.
In this specific case it chains up to Digicert's Global Root G2 root, and the certificate for anything at the domain parkingcrew.net whows as valid, but pinning the DNS to my blog to that results in the browser throwing the certificate invalid error.
From a UX perspective, it is not a good idea to accept that certificate and the software does the right thing but how many users will ignore this and click through at their own peril?
In general this can point to the difference between DNS and X.500/LDAP and where things can go wrong.
Saturday, April 11, 2020
eTechnical Details a work in progress version 1.1
Right now I am looking at a X.509v3 infrastructure widely used by the Internet and also a blockchain application.
Since I know how the X.509v3 part works and have the IP to use this in the US, this would be my first preference, but there are political problems in getting states and cities to implement the basic schema, which has existed in digital certificates since 1991 along with the entire suite of tools to make it happen.
Historically this was originally inflexible being confined to X.500, (back in 1993 people were still thinking about an Internet based Directory, which I managed) but it still gave good results when we applied it to nuclear weapons via the national lab responsible for testing and implementing nuclear weapons treaties. This involved the collection of data and verification of that data of remote sensors or telemetry via the Rose protocol.
It was subsequently extended to the Internet as X.509 version 3, from the original 1988 version X.509 via RFC-5280
The ITU X.509 document is from 2016, recent enough to fully understand the concept, a new paid version is available if you plan on actually implementing the standard.
That said, any state or city or government authority, hospital or organization that wants to implement this already existing PKI infrastructure to implement the rest of the Covid Cleared economic recovery solution is welcome to get in touch.
Typically this would involve working with one of the current Certificate Authorities and setting up PKI if you want to scale outside of your organization. Internally one can do only an organization specific solution which already exist.
Generally large scale companies like Comcast use X.509 on the back end. It pretty much is the standard basis for security on the Internet.
If you have ever gotten a personal digital certificate or created a digital certificate for a web site or are knowledgeable regarding how TLS works with a web browser you know how the schema works.
There is nothing preventing you from creating your own certificate authority, (it is built into Mac OS) or via Linux using Open SSL. Beyond using this within a group of friends or within a small group of companies, there is fundamentally no reason a browser will trust this certificate. A browser has pre-loaded root certificates and an extensive set of self determined policy rules to protect end users of browsers called CAB.
To actually create a secure Certificate Authority is hard. There are a lot of requirements. It is a given one will be attacked, since hackers (and Intelligence Agencies) want valid certificates to push malware in the form of software updates. This is a specific use case called CodeSigning. If you sign up to be a developer, a company will sign your code as being authentic when distributed through their App Store.
The Internet and FOSS will more likely be signed via GNUPG.
Government stuff will use NSA as a root of trust, (because they obviously won't trust the companies they can already hack as extensively documented by Snowden), but primarily because it is a specific community of interest with a set of requirements. NIST applies to both government agencies and their security, but also applies generally to a set of standards.
So technically, until we get to issues of resources (like finite processing power versus electricity as a utility) the question of trust becomes what you can afford and how well a company like Apple, Google or Microsoft can bundle all these associated services versus creating your own by either writing software or using FOSS. Each approach has its merits, and it depends on the threat model. Are you being targeted by country level hackers who want to screw up your efforts?
Totally different than other hackers. As such the architecture is somewhat independent of the threat model.
I'm going to assume that you will do the right thing from a security standpoint regarding HIPAA and the Internet and if you don't you will probably be hacked. The net result will be fake Covid test results presented to relying parties. That is a given with any FHIR based solution. It has the same security problems anything on the Internet has. Also applying the requisite security solutions will prevent a significant amount of the problems until zero days are developed. The really good part of the economic model is that it is totally useless for Joe Average Hacker to burn an 0day on an individual, since it is worth so much money. That's a feature of the design.
The very hard stuff to hack is located in a secure cloud implementation already expecting to be hacked.
The relevant Covid test data elements are distributed to individuals to share as they see fit, (being their own health care information) using existing secure transfer mechanisms. The permission scope of the sharing will be the choice of the end user.
Possible variations which can be toggled, while not exhaustive give the general idea of what permissions might look like in sharing your Covid Cleared immunity card.
The assumption here would be this is taking place as an electronic contract, but should you choose to present it in a different way that would be up to you. Each display will have a level of authenticity according to the local social protocol and access to verification devices.
Here is a Brooklyn woke version
"Ah I see you are wearing the new immunity button? Very cool, how does it work."
"Well pretty simply. If everything is good, it glows green. Yellow if caution, and if it's red, I will take appropriate precautions"
"I'm a maker, how did you do it?"
"I downloaded the parts and plans from Adafruit, programmed some things I learned at CodeAcademy for Circuit Python, and made it into a wearable, I give them away to healthcare workers in the neighborhood. I integrated the JSON code from Google and Apple to do anonymous Near-field and Bluetooh queries and it told me that you had immunity attribute anonymized broadcast enabled within 6-12 feet via that Apple Watch you are wearing"
"Very cool, you want to go grab coffee? I work for the EFF and I think we could help."
Here we are mirroring the social distancing with an opportunity to scale.
1. Share only at a geographic, distance, or logically definable location.
Geo fence an area and share with office mates, people who share a common employee attribute. All the people at a plant. Just the Starbucks. People at the Firehouse, the local Bar. Anyone on this train.
This is most likely anonymous but able to be contact traced based on your situational awareness delivered into your in phone geographic storage. As in MIT Solid implementation. Mashed from lat long and other data.
2. Share will people on my contact list, for example friends or office workers.
3. Share information with a specific person or verification device, like an Uber Driver.
The full set of all possible permissions are NP Hard.
The data is infinitely scalable but localized by the preferences of the user.
Any encounter will involve business rules that exist for the environment that can be communicated as a message to the end user in recognition to the official Covid Risk score at that time and place which will be calculated by testing and broadcast by Public Health.
"Hello, welcome to Delaware."
Our beaches are currently closed at Rehobeth. All others are Open
Once downloaded into the smartphone, the keys for the Covid test data reference live in a Secure Enclave on Apple or Android.
Subsequently it is displayed according to the user permissions.
"Hi Peter"
"Hi Bobs"
"Seems like you have some problems with the TPS Reports?"
"No problem, actually I don't do them"
"We are doing a layoff with the Covid, was wondering if you are immune"
"Sorry Bobs, that's on a strictly need to know, that only is shared within the department."
Given the NPhard problem of attribute permissions the idea is to assign or delegate authority via a authority manager that is capable of being adapted to most situations.
"Sorry, can't go in there. That person is quarantined due to cancer immune suppression".
"But I am Covid Cleared"
"I know, we scanned your Covid status, no problem, however you could have other potential infectious conditions that we don't track, so we could not arrive a mutual risk score to allow entry"
Risk Continued to Country level hackers
A Chinese APT crew hacked an entire healthcare system via a published exploit in a massive system breach, A named exploit, "heart bleed" that had a logo. The healthcare system appropriately responded, within a 24 hour window to patch the vulnerable device once the software was available from the vendor. Good, but not good enough, the APT crew had already stolen the admin credentials, forged them, and exfiltrated all the database data back to China before the patch was applied. Try doing that with 120 million people with the data stored on their smart device.
They can attack the cloud provider itself (not unheard of certainly but clearly possible to defend if there is no obvious negligence by the developer such as leaving access information on Github for example) with various attacks.
Building a HIPAA firewall?
National Security and Law Enforcement already have legal access to your medical records and you have already signed a document that you understand this. It is simply built into HIPAA. Whether you want to participate in a healthcare clinical test is up to you. They don't have automatic consent to make you a test subject based on medical ethics derived from the Nuremberg trials. These fundamental rights will not be abused by bad software design. Even if you signed that HIPAA notification form to get treatment, there has to be informed consent. That means there needs to a consensus as to transparency.
This is a fundamental tension of combining Intelligence with economic goals and why the Sars-COV-2 virus lays this bare. We need good intelligence and we need good security and privacy plus we need economic growth and stability. Unfortunately, for whatever motivation, sometimes people want to actively screw around with that (on a case by case basis) until they are detected, and booted out. This can be categorized as security failures ether on a personal level, or at scale.
Notable examples of failure would be DigiNotar.
Yet at the same time it is very simple to roll some of your own certificates if you trust your peers. Somewhere in between is a subCA that can create their own certificates, that are then trusted by Internet software by virtue of being built by a recognized Certificate Authority but managed by a community of Interest organized around industry groups such Aerospace, Pharma, and Healthcare. Those groups need a consistent approach regarding submitting paperwork to the government and to interact with government systems. As such the encryption is important but the big payoff is in digital signatures for things like clinical drug trials. Digital signatures are an important part of X.509v3 and legally recognized in the US as valid due to work done by the ABA which resulted in the ESIGN law.
In general, as opposed to the hierarchical root of 1988 X.500, the more recent versions of the software modify this. As a result there is no single point of truth (a general problem with distributed systems referred to as the Byzantine Generals Problem in regards to BlockChain). Instead, somewhere after the X.509 and X.500 infrastructure that I managed ended its funding grant from the National Science Foundation,
The actual structure of the attribute certificate versus an identity certificate is less well known, and to my knowledge not as well implemented as identity certificates. It has been developed in the standard, the basic concept is your identity is fairly well established, (and can be done in a number of different ways) but not by itself
ACME protocol is well established, so getting a web server solution is easy. Users don't understand that encrypting the connection to a website via TLS is only protecting the network connection, not the security of the website.
This c=US architecture solution is both proprietary intellectual property, open source, and importantly an existing ISO standard. This means traceability and thus a reason to trust the results.
Blockchain
Microsoft is helping with blockchain development, and I want to pull in partners from my blockchain healthcare contacts.
This is open source. As such there is a delay to get up to speed that will match the delay in the availability of the tests. Part of the prototype backend is being built on Microsoft Azure, for simplification, it should be able to be built and deployed on any cloud provider however for the targeted community of interest related to your use case.
Who is your use case? I am focusing on Uber/Lyft drivers. Maybe you are a developer for Epic or a hospital IT admin who develops apps. Perhaps you work for a large company that has an Active Directory foot print. A large college or University. A city government public health department. Maybe a Navy secretary. Someone who focuses on the under served such as the homeless? At some point the solution (or any developed version of the solution) has to be administered and maintained by someone and then scale to specific communities of interest that have their own unique privacy and security requirements.
The TL/dr is that a blockchain approach is very attractive, your blockchain is private, the labs and healthcare providers are on a public blockchain and they attest to the validity of the serology test by digitally signing the result. There are existing healthcare data transfer and verification mechanisms that can be pulled in.
As a patient you have every right to voluntarily share your Covid status with whomever you want. This is a vast simplification from public health that must maintain a privacy shield around people who test positive with the rtPCR test. Your right to use your health data is informed consent and part of a larger set of immutable rights for every human regardless of political location.
What we see now in some Covid applications is a questionable application of human rights. So this must be addressed in the requirements. Public Health, Law Enforcement and National Security can share this data as they see fit per regulations. As an individual you do not have these restrictions but neither can you stop them from gathering data. Ultimately they need to commit resources, but at this point they failed the containment phase by allowing the spread of the virus. We don't also want them to fail the recovery phase by stopping people from working who have tested immune. I hope that is logical, it has been endorsed by public health officials.
A healthcare provider must share it with you in a format you choose. To make it simple for the prototype we will use the already exisiting FHIR protocol that can transfer data into Apple health. At that point the app or native applications will display the data or communicate the data in the format that you wish, QR code, NFC, Air Drop, email as an attachment, and so on.
Right now I am looking at a X.509v3 infrastructure widely used by the Internet and also a blockchain application.
Since I know how the X.509v3 part works and have the IP to use this in the US, this would be my first preference, but there are political problems in getting states and cities to implement the basic schema, which has existed in digital certificates since 1991 along with the entire suite of tools to make it happen.
Historically this was originally inflexible being confined to X.500, (back in 1993 people were still thinking about an Internet based Directory, which I managed) but it still gave good results when we applied it to nuclear weapons via the national lab responsible for testing and implementing nuclear weapons treaties. This involved the collection of data and verification of that data of remote sensors or telemetry via the Rose protocol.
It was subsequently extended to the Internet as X.509 version 3, from the original 1988 version X.509 via RFC-5280
The ITU X.509 document is from 2016, recent enough to fully understand the concept, a new paid version is available if you plan on actually implementing the standard.
That said, any state or city or government authority, hospital or organization that wants to implement this already existing PKI infrastructure to implement the rest of the Covid Cleared economic recovery solution is welcome to get in touch.
Typically this would involve working with one of the current Certificate Authorities and setting up PKI if you want to scale outside of your organization. Internally one can do only an organization specific solution which already exist.
Generally large scale companies like Comcast use X.509 on the back end. It pretty much is the standard basis for security on the Internet.
If you have ever gotten a personal digital certificate or created a digital certificate for a web site or are knowledgeable regarding how TLS works with a web browser you know how the schema works.
There is nothing preventing you from creating your own certificate authority, (it is built into Mac OS) or via Linux using Open SSL. Beyond using this within a group of friends or within a small group of companies, there is fundamentally no reason a browser will trust this certificate. A browser has pre-loaded root certificates and an extensive set of self determined policy rules to protect end users of browsers called CAB.
To actually create a secure Certificate Authority is hard. There are a lot of requirements. It is a given one will be attacked, since hackers (and Intelligence Agencies) want valid certificates to push malware in the form of software updates. This is a specific use case called CodeSigning. If you sign up to be a developer, a company will sign your code as being authentic when distributed through their App Store.
The Internet and FOSS will more likely be signed via GNUPG.
Government stuff will use NSA as a root of trust, (because they obviously won't trust the companies they can already hack as extensively documented by Snowden), but primarily because it is a specific community of interest with a set of requirements. NIST applies to both government agencies and their security, but also applies generally to a set of standards.
So technically, until we get to issues of resources (like finite processing power versus electricity as a utility) the question of trust becomes what you can afford and how well a company like Apple, Google or Microsoft can bundle all these associated services versus creating your own by either writing software or using FOSS. Each approach has its merits, and it depends on the threat model. Are you being targeted by country level hackers who want to screw up your efforts?
Totally different than other hackers. As such the architecture is somewhat independent of the threat model.
I'm going to assume that you will do the right thing from a security standpoint regarding HIPAA and the Internet and if you don't you will probably be hacked. The net result will be fake Covid test results presented to relying parties. That is a given with any FHIR based solution. It has the same security problems anything on the Internet has. Also applying the requisite security solutions will prevent a significant amount of the problems until zero days are developed. The really good part of the economic model is that it is totally useless for Joe Average Hacker to burn an 0day on an individual, since it is worth so much money. That's a feature of the design.
The very hard stuff to hack is located in a secure cloud implementation already expecting to be hacked.
The relevant Covid test data elements are distributed to individuals to share as they see fit, (being their own health care information) using existing secure transfer mechanisms. The permission scope of the sharing will be the choice of the end user.
Possible variations which can be toggled, while not exhaustive give the general idea of what permissions might look like in sharing your Covid Cleared immunity card.
The assumption here would be this is taking place as an electronic contract, but should you choose to present it in a different way that would be up to you. Each display will have a level of authenticity according to the local social protocol and access to verification devices.
Here is a Brooklyn woke version
"Ah I see you are wearing the new immunity button? Very cool, how does it work."
"Well pretty simply. If everything is good, it glows green. Yellow if caution, and if it's red, I will take appropriate precautions"
"I'm a maker, how did you do it?"
"I downloaded the parts and plans from Adafruit, programmed some things I learned at CodeAcademy for Circuit Python, and made it into a wearable, I give them away to healthcare workers in the neighborhood. I integrated the JSON code from Google and Apple to do anonymous Near-field and Bluetooh queries and it told me that you had immunity attribute anonymized broadcast enabled within 6-12 feet via that Apple Watch you are wearing"
"Very cool, you want to go grab coffee? I work for the EFF and I think we could help."
Here we are mirroring the social distancing with an opportunity to scale.
1. Share only at a geographic, distance, or logically definable location.
Geo fence an area and share with office mates, people who share a common employee attribute. All the people at a plant. Just the Starbucks. People at the Firehouse, the local Bar. Anyone on this train.
This is most likely anonymous but able to be contact traced based on your situational awareness delivered into your in phone geographic storage. As in MIT Solid implementation. Mashed from lat long and other data.
2. Share will people on my contact list, for example friends or office workers.
3. Share information with a specific person or verification device, like an Uber Driver.
The full set of all possible permissions are NP Hard.
The data is infinitely scalable but localized by the preferences of the user.
Any encounter will involve business rules that exist for the environment that can be communicated as a message to the end user in recognition to the official Covid Risk score at that time and place which will be calculated by testing and broadcast by Public Health.
"Hello, welcome to Delaware."
Our beaches are currently closed at Rehobeth. All others are Open
Once downloaded into the smartphone, the keys for the Covid test data reference live in a Secure Enclave on Apple or Android.
Subsequently it is displayed according to the user permissions.
"Hi Peter"
"Hi Bobs"
"Seems like you have some problems with the TPS Reports?"
"No problem, actually I don't do them"
"We are doing a layoff with the Covid, was wondering if you are immune"
"Sorry Bobs, that's on a strictly need to know, that only is shared within the department."
Given the NPhard problem of attribute permissions the idea is to assign or delegate authority via a authority manager that is capable of being adapted to most situations.
"Sorry, can't go in there. That person is quarantined due to cancer immune suppression".
"But I am Covid Cleared"
"I know, we scanned your Covid status, no problem, however you could have other potential infectious conditions that we don't track, so we could not arrive a mutual risk score to allow entry"
Risk Continued to Country level hackers
A Chinese APT crew hacked an entire healthcare system via a published exploit in a massive system breach, A named exploit, "heart bleed" that had a logo. The healthcare system appropriately responded, within a 24 hour window to patch the vulnerable device once the software was available from the vendor. Good, but not good enough, the APT crew had already stolen the admin credentials, forged them, and exfiltrated all the database data back to China before the patch was applied. Try doing that with 120 million people with the data stored on their smart device.
They can attack the cloud provider itself (not unheard of certainly but clearly possible to defend if there is no obvious negligence by the developer such as leaving access information on Github for example) with various attacks.
Building a HIPAA firewall?
National Security and Law Enforcement already have legal access to your medical records and you have already signed a document that you understand this. It is simply built into HIPAA. Whether you want to participate in a healthcare clinical test is up to you. They don't have automatic consent to make you a test subject based on medical ethics derived from the Nuremberg trials. These fundamental rights will not be abused by bad software design. Even if you signed that HIPAA notification form to get treatment, there has to be informed consent. That means there needs to a consensus as to transparency.
This is a fundamental tension of combining Intelligence with economic goals and why the Sars-COV-2 virus lays this bare. We need good intelligence and we need good security and privacy plus we need economic growth and stability. Unfortunately, for whatever motivation, sometimes people want to actively screw around with that (on a case by case basis) until they are detected, and booted out. This can be categorized as security failures ether on a personal level, or at scale.
Notable examples of failure would be DigiNotar.
Yet at the same time it is very simple to roll some of your own certificates if you trust your peers. Somewhere in between is a subCA that can create their own certificates, that are then trusted by Internet software by virtue of being built by a recognized Certificate Authority but managed by a community of Interest organized around industry groups such Aerospace, Pharma, and Healthcare. Those groups need a consistent approach regarding submitting paperwork to the government and to interact with government systems. As such the encryption is important but the big payoff is in digital signatures for things like clinical drug trials. Digital signatures are an important part of X.509v3 and legally recognized in the US as valid due to work done by the ABA which resulted in the ESIGN law.
In general, as opposed to the hierarchical root of 1988 X.500, the more recent versions of the software modify this. As a result there is no single point of truth (a general problem with distributed systems referred to as the Byzantine Generals Problem in regards to BlockChain). Instead, somewhere after the X.509 and X.500 infrastructure that I managed ended its funding grant from the National Science Foundation,
The actual structure of the attribute certificate versus an identity certificate is less well known, and to my knowledge not as well implemented as identity certificates. It has been developed in the standard, the basic concept is your identity is fairly well established, (and can be done in a number of different ways) but not by itself
ACME protocol is well established, so getting a web server solution is easy. Users don't understand that encrypting the connection to a website via TLS is only protecting the network connection, not the security of the website.
This c=US architecture solution is both proprietary intellectual property, open source, and importantly an existing ISO standard. This means traceability and thus a reason to trust the results.
Blockchain
Microsoft is helping with blockchain development, and I want to pull in partners from my blockchain healthcare contacts.
This is open source. As such there is a delay to get up to speed that will match the delay in the availability of the tests. Part of the prototype backend is being built on Microsoft Azure, for simplification, it should be able to be built and deployed on any cloud provider however for the targeted community of interest related to your use case.
Who is your use case? I am focusing on Uber/Lyft drivers. Maybe you are a developer for Epic or a hospital IT admin who develops apps. Perhaps you work for a large company that has an Active Directory foot print. A large college or University. A city government public health department. Maybe a Navy secretary. Someone who focuses on the under served such as the homeless? At some point the solution (or any developed version of the solution) has to be administered and maintained by someone and then scale to specific communities of interest that have their own unique privacy and security requirements.
The TL/dr is that a blockchain approach is very attractive, your blockchain is private, the labs and healthcare providers are on a public blockchain and they attest to the validity of the serology test by digitally signing the result. There are existing healthcare data transfer and verification mechanisms that can be pulled in.
As a patient you have every right to voluntarily share your Covid status with whomever you want. This is a vast simplification from public health that must maintain a privacy shield around people who test positive with the rtPCR test. Your right to use your health data is informed consent and part of a larger set of immutable rights for every human regardless of political location.
What we see now in some Covid applications is a questionable application of human rights. So this must be addressed in the requirements. Public Health, Law Enforcement and National Security can share this data as they see fit per regulations. As an individual you do not have these restrictions but neither can you stop them from gathering data. Ultimately they need to commit resources, but at this point they failed the containment phase by allowing the spread of the virus. We don't also want them to fail the recovery phase by stopping people from working who have tested immune. I hope that is logical, it has been endorsed by public health officials.
A healthcare provider must share it with you in a format you choose. To make it simple for the prototype we will use the already exisiting FHIR protocol that can transfer data into Apple health. At that point the app or native applications will display the data or communicate the data in the format that you wish, QR code, NFC, Air Drop, email as an attachment, and so on.
Wednesday, April 8, 2020
Technical Details (newer version available 1.1)
Right now I am looking at a X.509v3 infrastructure widely used by the Internet and also a blockchain application.
Since I know how the X.509v3 part works and have the IP to use this in the US, this would be my preference, but there are political problems in getting states and cities to implement the basic schema, which has existed in digital certificates since 1991.
If you have gotten a digital certificate or created a digital certificate you know how the schema works.
The actual structure of the attribute certificate is less well known, and to my knowledge
not as well implemented as identity certificates. This is both proprietary, open source, and importantly a ISO standard.
Blockchain
Microsoft is helping with blockchain development, and I want to pull in partners from my blockchain healthcare contacts.
This is open source. As such there is a delay to get up to speed that will match the delay in the availability of the tests. Part of the prototype backend is being built on Microsoft Azure, for simplification, it should be able to be built and deployed on any cloud provider however for the targeted community of interest related to your use case.
Who is your use case? I am focusing on Uber/Lyft drivers. Maybe you are a developer for Epic or a hospital IT admin who develops apps. Perhaps you work for a large company that has an Active Directory foot print. A large college or University. A city government public health department. Maybe a Navy secretary. Someone who focuses on the under served such as the homeless? At some point the solution (or any developed version of the solution) has to be administered and maintained by someone and then scale to specific communities of interest that have their own unique privacy and security requirements.
The TL/dr is that a blockchain approach is very attractive, your blockchain is private, the labs and healthcare providers are on a public blockchain and they attest to the validity of the serology test by digitally signing the result. There are existing healthcare data transfer and verification mechanisms that can be pulled in.
As a patient you have every right to voluntarily share your Covid status with whomever you want. This is a vast simplification from public health that must maintain a privacy shield around people who test positive with the rtPCR test. Your right to use your health data is informed consent and part of a larger set of immutable rights for every human regardless of political location.
What we see now in some Covid applications is a questionable application of human rights. So this must be addressed in the requirements. Public Health, Law Enforcement and National Security can share this data as they see fit per regulations. As an individual you do not have these restrictions but neither can you stop them from gathering data. Ultimately they need to commit resources, but at this point they failed the containment phase by allowing the spread of the virus. We don't also want them to fail the recovery phase by stopping people from working who have tested immune. I hope that is logical, it has been endorsed by public health officials.
A healthcare provider must share it with you in a format you choose. To make it simple for the prototype we will use the already exisiting FHIR protocol that can transfer data into Apple health. At that point the app or native applications will display the data or communicate the data in the format that you wish, QR code, NFC, Air Drop, email as an attachment, and so on.
Right now I am looking at a X.509v3 infrastructure widely used by the Internet and also a blockchain application.
Since I know how the X.509v3 part works and have the IP to use this in the US, this would be my preference, but there are political problems in getting states and cities to implement the basic schema, which has existed in digital certificates since 1991.
If you have gotten a digital certificate or created a digital certificate you know how the schema works.
The actual structure of the attribute certificate is less well known, and to my knowledge
not as well implemented as identity certificates. This is both proprietary, open source, and importantly a ISO standard.
Blockchain
Microsoft is helping with blockchain development, and I want to pull in partners from my blockchain healthcare contacts.
This is open source. As such there is a delay to get up to speed that will match the delay in the availability of the tests. Part of the prototype backend is being built on Microsoft Azure, for simplification, it should be able to be built and deployed on any cloud provider however for the targeted community of interest related to your use case.
Who is your use case? I am focusing on Uber/Lyft drivers. Maybe you are a developer for Epic or a hospital IT admin who develops apps. Perhaps you work for a large company that has an Active Directory foot print. A large college or University. A city government public health department. Maybe a Navy secretary. Someone who focuses on the under served such as the homeless? At some point the solution (or any developed version of the solution) has to be administered and maintained by someone and then scale to specific communities of interest that have their own unique privacy and security requirements.
The TL/dr is that a blockchain approach is very attractive, your blockchain is private, the labs and healthcare providers are on a public blockchain and they attest to the validity of the serology test by digitally signing the result. There are existing healthcare data transfer and verification mechanisms that can be pulled in.
As a patient you have every right to voluntarily share your Covid status with whomever you want. This is a vast simplification from public health that must maintain a privacy shield around people who test positive with the rtPCR test. Your right to use your health data is informed consent and part of a larger set of immutable rights for every human regardless of political location.
What we see now in some Covid applications is a questionable application of human rights. So this must be addressed in the requirements. Public Health, Law Enforcement and National Security can share this data as they see fit per regulations. As an individual you do not have these restrictions but neither can you stop them from gathering data. Ultimately they need to commit resources, but at this point they failed the containment phase by allowing the spread of the virus. We don't also want them to fail the recovery phase by stopping people from working who have tested immune. I hope that is logical, it has been endorsed by public health officials.
A healthcare provider must share it with you in a format you choose. To make it simple for the prototype we will use the already exisiting FHIR protocol that can transfer data into Apple health. At that point the app or native applications will display the data or communicate the data in the format that you wish, QR code, NFC, Air Drop, email as an attachment, and so on.
Faster than the virus? A vastly simplified Architecture
As of 4/8/2020 some potential architectures have emerged for CovidCleared as a result of
requirements gathering.
The serology tests that indicate antibodies to the Sars-Cov-2 virus are being tested in various places, find out where you can get tested.
Various key public health figures have come out in support of this testing as an important step in going back to work for millions of people, and of course they want to initially test healthcare workers before the public.
My cohort are transportation workers, specifically Uber and Lyft, but also taxi and bus drivers. Essentially people in a confined environment that may be rtPCR status positive and be unaware of that status due to asymptomatic spread of the virus. They may have quarantined and are now recovered, and thus can be tested using the serology test. Failing to have antibodies indicates the person is uninfected, and thus at risk of being infected at a future date. That risk will go down as the virus stops replicating sufficiently below the rate of R naught of 1 as determined by public health authorities.
So primarily this only works for those that already tested positive and subsequently became immune and are no longer spreading the virus. Bear in mind that people are likely to spread the virus before they manifest symptoms which is why the rtPCR test is useful but insufficient.
So how to document status? There are different opinions on how to make that scale. It has to scale from the individual to the group. Some of these groups are ad hoc, like passengers on a subway.
We are a long ways from herd immunity to the virus, and have been relying on "heard" symptoms such as socially distancing from someone with a dry cough. Of any of the other tools of social distancing. This is effective until actual immunity can be demonstrated, which is the serology test.
Then that exists as a health record. Your doctor has it. You have it. And according to HIPAA, quite a few other people and agencies have it, such as National Security and Law Enforcement.
Ok, well what has Homeland Security being cooking up from a technology perspective to deal with these or similar situations? The quick answer is DID or decentralized identification. Bear in mind I think geographical units should employ X.509v3 attribute and identity certificates, which might be scaled to actual places and businesses. A business can bring up their own identity scheme. All McDonalds for example, Or all Whole Foods. They then can further identify employees, (which they have to do anyway and probably have) in order to pay them and assign jobs. They would also need to have a RFC-5755 attribute certificate which likely no one has yet. These would have to be issued by Certificate Authorities.
The most obvious security response is surveillance. This falls into pre-existing surveillance and surveillance that people are willing to help facilitate themselves.
As opposed to China we don't have Alibaba and Alipay to simply refactor with a QR code to give us a Red, Yellow, Green status at a subway entrance.
In order to meet both privacy and sharing requirements different available technologies must be used to support the process that can be deployed onto a smartphone.
So a QR code is good.
The color scheme is simple, good.
Health questionnaire, probably too much information, just the Covid test status.
Geolocation data? Maybe. This would help with contact tracing, but for the already immune it does not seem necessary. MIT has a store it on your own phone location tracking app.
Body temperature scanned at airports, etc. Why not? Although it's not sufficient it can be a referral if someone is running a fever. A contactless forehead scan before taking an Uber should not be a problem.
So much for the front end, a simple App with supported signs at public places. Or the places where one might become infected.
Now what about the backend?
You have taken the serological test in Mid April and since you contracted the virus and quarantined and recovered, you are now immune. Congratulations. How does this data get on your smartphone.
For the iPhone it can live in your wallet via Apple Health. It is exposed just like a credit card. Of course we don't want you borrowing anyone else's phone to take an Uber or ride the subway, so there must be the corresponding personal digital identifier which you must share. This does not need to be your legal name, etc. However it must uniquely belong to only you.
So the backend must take on the burden of creating a DID through an interface, and persisting that data, (in this case on a blockchain) and then getting it to your smartphone. The transmission of the actual health record is via FHIR, because one has to contact one's healthcare provider, and transfer the record onto your phone in the case of Apple. This already works.
In the Uber use case one would verify your Covid status with your driver and you would verify the driver status. Based on the results one can then accept or reject the proposed ride share. Your risk would be computed based on the public health parameters already established.
See the technical details post on ideas on how to build an infrastructure to support this and suggestions for an application.
requirements gathering.
The serology tests that indicate antibodies to the Sars-Cov-2 virus are being tested in various places, find out where you can get tested.
Various key public health figures have come out in support of this testing as an important step in going back to work for millions of people, and of course they want to initially test healthcare workers before the public.
My cohort are transportation workers, specifically Uber and Lyft, but also taxi and bus drivers. Essentially people in a confined environment that may be rtPCR status positive and be unaware of that status due to asymptomatic spread of the virus. They may have quarantined and are now recovered, and thus can be tested using the serology test. Failing to have antibodies indicates the person is uninfected, and thus at risk of being infected at a future date. That risk will go down as the virus stops replicating sufficiently below the rate of R naught of 1 as determined by public health authorities.
So primarily this only works for those that already tested positive and subsequently became immune and are no longer spreading the virus. Bear in mind that people are likely to spread the virus before they manifest symptoms which is why the rtPCR test is useful but insufficient.
So how to document status? There are different opinions on how to make that scale. It has to scale from the individual to the group. Some of these groups are ad hoc, like passengers on a subway.
We are a long ways from herd immunity to the virus, and have been relying on "heard" symptoms such as socially distancing from someone with a dry cough. Of any of the other tools of social distancing. This is effective until actual immunity can be demonstrated, which is the serology test.
Then that exists as a health record. Your doctor has it. You have it. And according to HIPAA, quite a few other people and agencies have it, such as National Security and Law Enforcement.
Ok, well what has Homeland Security being cooking up from a technology perspective to deal with these or similar situations? The quick answer is DID or decentralized identification. Bear in mind I think geographical units should employ X.509v3 attribute and identity certificates, which might be scaled to actual places and businesses. A business can bring up their own identity scheme. All McDonalds for example, Or all Whole Foods. They then can further identify employees, (which they have to do anyway and probably have) in order to pay them and assign jobs. They would also need to have a RFC-5755 attribute certificate which likely no one has yet. These would have to be issued by Certificate Authorities.
The most obvious security response is surveillance. This falls into pre-existing surveillance and surveillance that people are willing to help facilitate themselves.
As opposed to China we don't have Alibaba and Alipay to simply refactor with a QR code to give us a Red, Yellow, Green status at a subway entrance.
In order to meet both privacy and sharing requirements different available technologies must be used to support the process that can be deployed onto a smartphone.
So a QR code is good.
The color scheme is simple, good.
Health questionnaire, probably too much information, just the Covid test status.
Geolocation data? Maybe. This would help with contact tracing, but for the already immune it does not seem necessary. MIT has a store it on your own phone location tracking app.
Body temperature scanned at airports, etc. Why not? Although it's not sufficient it can be a referral if someone is running a fever. A contactless forehead scan before taking an Uber should not be a problem.
So much for the front end, a simple App with supported signs at public places. Or the places where one might become infected.
Now what about the backend?
You have taken the serological test in Mid April and since you contracted the virus and quarantined and recovered, you are now immune. Congratulations. How does this data get on your smartphone.
For the iPhone it can live in your wallet via Apple Health. It is exposed just like a credit card. Of course we don't want you borrowing anyone else's phone to take an Uber or ride the subway, so there must be the corresponding personal digital identifier which you must share. This does not need to be your legal name, etc. However it must uniquely belong to only you.
So the backend must take on the burden of creating a DID through an interface, and persisting that data, (in this case on a blockchain) and then getting it to your smartphone. The transmission of the actual health record is via FHIR, because one has to contact one's healthcare provider, and transfer the record onto your phone in the case of Apple. This already works.
In the Uber use case one would verify your Covid status with your driver and you would verify the driver status. Based on the results one can then accept or reject the proposed ride share. Your risk would be computed based on the public health parameters already established.
See the technical details post on ideas on how to build an infrastructure to support this and suggestions for an application.
Subscribe to:
Posts (Atom)