Cyber Week in Review: May 8, 2020

New UK and French Tracing Apps Conflict With Guidelines Set by Apple and Google

This week, Apple and Google released [PDF] new guidelines for the use of their coronavirus contact tracing application programming interface (API), which, among other things, insist that data collected by tracing apps be decentralized to preserve privacy and give users more control over their information. These guidelines conflict with tracing apps being developed by the governments of the UK and France, who argue that centralizing users’ data would allow health authorities to make better decisions about who to alert and enhance understanding of the virus’ spread. Apple and Google have refused to budge on the issue, however, which puts the two countries in a predicament. Because Apple and Google operating systems will only support their own API for contact tracing functionality, unsupported apps developed by governments will only be able to broadcast Bluetooth signals, which underpin the contact tracing protocol, when users’ phones are awake. This would dramatically reduce the effectiveness of these systems. In response, France has complained that the companies are threatening its “technological sovereignty” by constraining its choices.

France to Use Cameras to Monitor Mask and Social Distancing Compliance

With France’s lockdown set to ease on May 11, some French cities plan to use video surveillance cameras to monitor compliance with mask and social distancing guidelines in public spaces. The technology, developed by a firm called Datakalab, has already been tested in Cannes on outdoor markets and busses. The company claims its software abides by European Union privacy laws and does not use facial recognition technology because it neither stores nor transmits images. This, Datakalab states, separates its product from the kind of high-tech surveillance common in China. It does, however, automatically alert authorities if it spots a violation.

Facebook Announces Members of Oversight Board

On Wednesday, Facebook announced the first members of its oversight board, which will make “final and binding decisions on whether specific content should be allowed or removed from Facebook and Instagram.” The board has four co-chairs: two American law professors, a Colombian law school dean, and a former Danish prime minister. The other members include journalists, judges, digital rights advocates, and former government officials from across the world. The board is fully funded by a trust and thus financially independent from Facebook; employees work for the trust, not Facebook, and can’t be removed by the company. Michael McConnell, one of the co-chairs, explained that instead of acting as an “internet police,” the board will focus on cases that affect large numbers of users and public discourse. However, critics are skeptical that the board of forty part-time members will be able to effectively moderate a platform with 2.37 billion users. Others worry that Facebook’s leadership could simply ignore the board’s recommendations or blame it when forced to make unpopular decisions.

Germany Issues Warrant for Arrest of Alleged Russian Hacker Over Bundestag Attack

On Tuesday, German prosecutors issued a warrant for the arrest of Dmitriy Sergeyevich Badin, a Russian national accused of hacking the Bundestag, the German federal parliament. The German government suspects—and investigators from Bellingcat confirm—that Badin is a member of Unit 26165 of the Russian military’s Main Intelligence Directorate (GRU), known in the private sector as APT 28/Fancy Bear. The indictment asserts that Badin and others used fake United Nations emails to trick staff into opening malicious documents, which delivered malware that allowed APT 28 to access the entire Bundestag network. This is not the first time that Badin has made international headlines. In 2018, he was charged [PDF] by the United States for his involvement in cyberattacks against the Democratic National Committee (DNC) and the World Anti-Doping Agency.

Major European Hospital Operator Infected With Ransomware

This week, Fresenius, the largest private hospital operator in Europe, was infected with ransomware. The ransomware, called Snake, reportedly affected “every part of the company’s operations around the globe” and limited some corporate functions, though patient care continues. Fresenius also admitted that the attack hampered production of its pharmaceutical products, including pain relievers, which are in particularly high demand during the coronavirus pandemic. While it is unclear who is behind the attack, the incident follows a prominent trend of cybercriminals and state cyber actors targeting health-care infrastructure during the coronavirus pandemic.