Image slightly altered from https://www.rottentomatoes.com/m/the_good_the_bad_and_the_ugly
Written by Karen Renaud, Paul van Schaik, Alastair Irons and Sara Wilford
On the 23rd March 2020, the UK entered a pandemic lockdown. Organisations moved their activities online. Which technologies did they use? How well did communication work?
We discovered a lack of planning for this kind of event. Organisations are likely to do better in the future. We hope to feed into their planning.
We discuss the Secure, the Insecure and the Worrying.
The Secure
Our institutions implemented GDPR measures in 2018. They published policies and provided secure storage. This meant they were well prepared for the lockdown, when it came to data storage.
However, a brief review of the authors’ institutions’ policies revealed some issues. None of the policies mentioned video conferencing software. Nor were any recommendations made about protocols for home working or secure software. There were no guidelines for hardware configurations that would help improve home working security. Finally, there was no mention of the use of VPNs (Virtual Private Networks).
The Insecure
Because of the speed of the lockdown, very few organisations had the time to put policies or protocols in place regarding remote working practices. This means many employees figured out their practices for themselves. They might be well informed, and do so securely. They might also put themselves and their employers’ devices at risk.
Unwise Installation
One the one hand, there is a need to be inclusive and to ensure that users have the hardware and software. Employees may have been given admin rights to enable them to install software. This is understandable because their corporate IT support do not have the capacity to support a multitude of users working remotely. This is risky. It also potentially causes stress when things do not work or users cannot connect to their colleagues.
On the other hand, the need to connect with others can lead to unwise installation of technologies. The usual security checks might not be in place. The adoption of workable solutions in the short term could well obscure underlying problems. GDPR violations might result.
When the lockdown is over, the extent of such violations will emerge. The consequences are bound to be unpleasant.
School Teachers
School teachers are perhaps most unprepared to move their activities online. The bulk of their work is face-to-face with children. They have had to find other ways to engage. The advice from Human Rights Watch is to focus on the most accessible technologies and methods. There is no mention of privacy or security considerations. Privacy, too, is a human right (United Nations Declaration of Human Rights (UDHR) 1948, Article 12) and in Europe the GDPR regulations have stringent rules requiring that children’s data be kept private.
Example
Gym teachers would like their pupils to provide evidence that they are doing their exercises. How do they do this while all their pupils are quarantined?
Anonymous posted a comment to a Reddit group, saying that a teacher wanted children to post videos to YouTube. The first comment is from a teacher, defending the practice:
“I think the mindset is trying to prevent students from just faking it by having them show evidence, but an email to the teacher asking for an alternative assignment should work.” Another teacher explains: “My district wants me to document everything I am doing daily that is focused on my degree. 3 to 5 hours a day M-F. How the hell can I come up with 3 to 5 hrs of stuff 5 days a week? We have to document it and turn in a log sheet every Monday.”
We are not blaming teachers. We are pointing the finger at those who are responsible for providing teachers with the technologies they need. It seems as if they have been left to find their own way. That they make mistakes when their employers fail to support them is understandable
The Worrying
Governments are doing everything they can to prevent deaths during the COVID-19 pandemic. Some governments have promoted contact tracing tools. These can be mobile phone apps or they could use cell tower triangulation. These can trace all the people an infected person has been in contact with to provide warning of possible infection. Contact tracing is a mature technique, which has been used to track tuberculosis, SARS or STD contacts.
These apps can violate privacy and other human rights after the pandemic has abated. Some countries have used contact tracing in an authoritarian and privacy violating fashion. Graham Cluley explains how an Israeli company’s app respects the privacy of citizens. The NHS app, by contrast, stores data centrally, and does not align with the way the Israeli app does things. Many have concerns. The graph below demonstrates a Google Searches for Surveillance vs. Contact Tracing from 10 March 2020 to 10 April 2020 showing that there is some concern in the UK.
What worries people is that the app will be used for other purposes after the pandemic. The COVID app has already been used in the USA to identify protesters.
Communications
Government communications about hand washing have been clear and concise. The communications related to mask wearing has been confusing. The trends graph shown below demonstrates the differences in searching between these terms.
People were initially told that face masks were ineffective. Then, on the 1st April, the World Health Organisation (WHO) announced that it was considering changing its guidance on face masks.
On the 7th April, the Centre for Disease Control (CDC) recommended wearing face masks in public. On 8th April, the WHO announced that there was no evidence to suggest wearing a face mask would prevent healthy people from catching Covid-19
As the lockdown continues, others raised their voices. Massimo Marchiori explains that face masks change people’s behaviours, encouraging social distancing. Experts encourage their use.
Britons are told that they do not have to wear face masks in April 2020. By June, face masks are strongly advised, or mandated.
Finally, in June 2020, the WHO reconsiders their stance and now advise the wearing of face masks.
These kinds of conflicting messages are unhelpful. A great blog by Emily So and Hannah Baker doing this topic more justice than we have here.
Guidelines & Recommendations
In the full paper (link below), we provide comprehensive guidelines for home working, which we hope will be useful to organisations.
Karen Renaud, Paul van Schaik, Alastair Irons, Sara Wilford. 2020 UK Lockdown Cyber Narratives: the Secure, the Insecure and the Worrying. https://arxiv.org/abs/2006.06340