NSO Group Did Not Protect the Server It Used to Demonstrate Location-Based Centralized Contact Tracing in Israel ⇥ techcrunch.com

Zack Whittaker, TechCrunch:

While most governments lean toward privacy-focused apps that use Bluetooth signals to create an anonymous profile of a person’s whereabouts, others, like Israel, use location and cell phone data to track the spread of the virus.

[…]

Security researcher Bob Diachenko discovered one of NSO’s contact-tracing systems on the internet, unprotected and without a password, for anyone to access. After he contacted the company, NSO pulled the unprotected database offline. Diachenko said he believes the database contains dummy data.

NSO told TechCrunch that the system was only for demonstrating its technology and denied it was exposed because of a security lapse. NSO is still waiting for the Israeli government’s approval to feed cell records into the system. But experts say the system should not have been open to begin with, and that centralized databases of citizens’ location data pose a security and privacy risk.

This is one of the inherent risks of a centralized system. The other, of course, is that there is a lazy but not incorrect slippery slope argument to be made that this system could be expanded or repurposed for direct tracking of individuals, but that would not be possible with an anonymous and decentralized system.

Also, I know NSO Group is Israeli and, so, it makes sense for them to be developing Israel’s contact tracing system, but their involvement is somewhere between suspicious and icky.