KuppingerCole Blog

PEPP-PT: Bridging the Gap Between COVID-19 Pandemic Control and Privacy by Design

The use of modern information technology, in particular mobile data, is seen as a central measure in containing the current pandemic. However, the Corona App, which is used in South Korea to track the chains of infection, uses a variety of data (GPS, surveillance cameras, credit card data) to track the movements of potentially infected people, and does so in complete disregard of the privacy of those affected.

Access to personal mobility data, combined with information on actual infections and diseases, holds the promise of providing better insight into the pathways of infection and the spread of diseases, especially during the currently expanding COVID-19 pandemic. However, access to such data is rightly not or at least not easily possible. In societies based on the rule of law and conscious of data protection, it is essential to consistently weigh the added value of such use against the rights of those affected. The proximity tracing framework PEPP-PT aims at providing a more responsible foundation for data-saving anti-corona apps.

Does privacy hinder Corona disease control?

The masses of fine-grained motion data of smartphone users available e.g. from mobile operators soon turned into the subject of interest. Applying big data analytics was expected to provide insight into each and every phone user’s most personal travel behavior. This data would supposedly help identify the possibility of infections that have occurred before they facilitate the further spread of the virus by applying well-defined sets of rules laid out by medical experts and epidemiologists. Retrospectively, after a person is known to have the virus, their recent movements would identify the people they potentially came into contact with. This information would then become the basis for a possible self-quarantine.

With the GDPR (EU General Data Protection Regulation) coming into force, the data owner, i.e. each single person concerned, was given extensive means to put a stop to the undesired collection, storage and use of data. This is not difficult to understand in the context of unwanted advertising, continuous, even cumulative, evaluation of user behavior or an exaggerated collecting frenzy on the part of state authorities with a view to possible future criminal prosecution.

But this perception changed considerably when it comes to the use of modern IT and big data for a targeted and efficient disease control in the current challenge through Corona/COVID-19.

Simple solutions tend to be wrong

Initially, overhasty people (politicians) were quick to call for forced state access to usage data available from mobile phone providers about the network cells in which mobile devices are registered. Beyond a legal and socio-political consideration of this approach, a quick reality check makes clear: Due to the coarse grid that network cells represent, this data is as useful for the desired purpose as a rake used as a replacement for a fork. Even GPS data is not sufficiently granular to identify information about critical contacts (i.e. those less than about 5 meters apart) between potentially infected people. And it is usually not available for indoors activities. This can only be remedied with the help of Bluetooth technology, although this information -- just like GPS data of mobile phone users -- is often not available at all, let alone centrally.

It is therefore necessary to actively obtain and properly process such data specifically for this purpose. A system would have to be created that can record contacts between people and correlate them retrospectively.

COVID-19 and Privacy by design

As important and helpful as this information is, the hurdles to collecting it with the right to privacy of each citizen are immense. A pandemic by no means justifies any violation of a fundamental right such as the constitutional right of a citizen to self-determination regarding their personal information.

The GDPR sets out specific requirements for processing personal data, and this is where the principle of "privacy by design" comes into play. Initially defined in 2011 (PDF by Ann Cavoukian), this principle demands that systems, processes and applications must always be designed in such a way that data protection is technically inseparable from the development of the actual data processing. The protection of personal data (PII - Personally Identifiable Information) in the sense of the GDPR must be maintained by taking adequate technical and organizational measures from an early stage of development onwards.

So, anyone who, when it comes to solving the issue as described above, immediately thinks of the forced installation of an intrusive sniffer app similar to the Chinese social rating model under the cloak of protecting the individual's health is wrong.

Fighting the pandemic with voluntary proximity tracing

This can be done better, and the evidence has just been presented. The PEPP-PT (Pan European Privacy Protecting Proximity Tracing) concept developed by a multinational team including several Fraunhofer Institutes including the Heinrich Hertz Institute in Berlin is a prime example of a technologically sound and privacy-compliant approach to provide non-pharmacological support for pandemic containment. Through PEPP-PT, a tracing concept has been defined that can be used to identify chains of infection and alert those affected.


As a matter of principle, it actually does not even involve tracking. Rather, mobile phones communicate with each other and locally collect pseudonymized traces of relevant encounters. This happens without any central storage and without geolocation information. Based on Bluetooth low-energy technology, it is possible to determine with an accuracy of less than two meters that two people are next to each other. Where exactly this happened is fully irrelevant regarding a possible infection.

There are several strengths to this solution that set it apart from forced access to mobile data:

  • Data is stored locally in the user's own mobile phone as much as possible.
  • Contact data is pseudonymized with continuously changing IDs, so that re-identification using locally stored data is precluded by design.
  • Only when an infection has been confirmed may the affected person choose to release this data to create the possibility to identify IDs in danger through previous contact.
  • People can subsequently be notified via the app, still with privacy in mind.
  • Finally, it must be emphasized again, that every step remains entirely voluntary. From installing the app, to the actual use of it to the transmission of data to potentially infected persons there is no such thing as forced monitoring by a compulsory app.

Beyond the app: PEPP-PT as an open, scalable framework

The system is open (with a reference implementation to be made available using a Mozilla license), internationally applicable, interoperable and scalable. It is not “just an app” but a framework that enables developers to leverage this technology and to support this purpose with suitable apps based on it. This means that privacy and data protection are not a hindrance to intelligent combating of the current health threat. Rather, by considering the "privacy by design" concept, the volunteer approach and an impressively intelligent concept, a solution has been designed that simultaneously meets the requirements of modern democracies and those of infection prevention.

This is an important lesson to keep in mind when implementing more next-generation communication systems in a post-Corona era. As an analyst / advisor with more than two decades of experience in the field of IAM, I am also quite impressed how pseudonymized identity management has been designed in a decentralized manner and I am really interested to see it face the reality test soon.

Working Securely at Home During the Pandemic

Working securely at home during the pandemic

As more people are working from home than ever before, there is an increasing demand for communication services. But security needs to be a key consideration as businesses adapt to a new way of working, as my colleagues John Tolbert, Matthias Reinwarth, and Alexei Balaganski have pointed out in their recommendations on responding to the Covid19 pandemic.

The move to cloud is obvious

For many organizations, meeting the challenges presented by the pandemic means making a quick move to the cloud, but as Matthias points out, this must be managed properly with security in mind.

AWS, which places a great deal of emphasis on security and claims that all its services are secure out of the box, is inevitably seeing a huge spike in demand for its cloud-based communication services, but is well-positioned to meet the change in demand and usage patterns.

AWS reports reductions in demand from some customers and increases in others, depending on how those organizations are being impacted by the pandemic. This is easily managed for AWS, which is able to scale in both directions as demand requires.

As noted by my colleagues, organizations should seriously consider the security implications of employees using their own, potentially malware infested, laptop and desktop computers when working from home.

Remote desktops a good option

In the light of the risk of malware on employee laptops and desktops, organizations should consider using a remote desktop. According to AWS, it is seeing an increase in demand for its WorkSpaces service which is a secure desktop-as-a-service solution for Windows or Linux.

This approach makes sense during the pandemic because organizations do not need to provide laptops and desktops to all employees because those that have their own equipment can use it to access to a remote desktop, but without malware and other security concerns. The service can also be deployed without delay. According to AWS, WorkSpaces can be deployed in as little as 5 minutes.

The approach inserts a logical gap between the employees’ laptops and the enterprise environment because the processor and operating system are provided by the supplier of the remote desktop service.

The location of AWS data centres in Dublin, Frankfurt and Paris ensures that there are no latency problems within Europe.

Secure meetings

The recent security warnings about vulnerabilities in the Windows client of the Zoom video conferencing app have underlined the importance of choosing a secure video conferencing option.

AWS is offering a three-month free trial of its new Chime Professional communications service, which AWS uses internally. The service is designed with regulations such as the EU’s General Data Protection (GDPR) in mind. Chime Professional allows users to choose where the communications bridge is located, and the service is designed so that no traffic will leave the region of the chosen bridge location.

Critical infrastructure

In addition to capacity provided by regional data centers, AWS is considered part of critical national infrastructure in many European countries, which means that governments have a vested interest in providing support wherever it may be needed.

Due to compliance with German cyber security legislation, Amazon Elastic Compute Cloud (EC2), CloudFront content delivery network and Route 53 domain name service (DNS) have official recognition as critical infrastructure in Germany.  

AWS does not anticipate any limits or restrictions regarding the availability of AWS services or restrictions on AWS usage as a result of COVID-19. The AWS Cloud is built for customers to scale up as needed, so they can continue to use AWS as normal.

New AWS security capabilities

Access Analyzer and Amazon Detective, two innovations announced the AWS re:Invent conference in Las Vegas in December 2019, are now generally available.

Access Analyzer is a new Identity and Access Management (IAM) capability for Amazon S3 (Simple Storage Service) to make it easy for customer organizations to review access policies and audit them for unintended access.

Access Analyser is a feature of AWS accounts offered at no additional charge that provides a single view across all access policies to determine whether any have been misconfigured to allow unintended public or cross-account access.

The newly available Amazon Detective security service is designed to make it easy for customers to conduct faster and more efficient investigations into security issues across their workloads.

Amazon Detective helps security teams conduct investigations by automatically analyzing and organizing data from AWS CloudTrail and Amazon Virtual Private Cloud (VPC) Flow Logs into a graph model that summarizes resource behaviors and interactions across a customer’s AWS environment.

Amazon Detective’s visualizations are designed to provide the details, context, and guidance to help analysts determine the nature and extent of issues identified by AWS security services like Amazon GuardDuty, Amazon Inspector, Amazon Macie, and AWS Security Hub, to enable security teams to begin remediation quickly.

It is good that security is an integral part of all AWS services, and that AWS is continually improving existing services as well as adding new services to further enhance existing security services, that will now appeal to a whole new market as organizations look for ways to keep working.

For more on security solutions, reviews and comparisons, see our research. For actionable guidance, our team of advisors can assist you with developing tactics and strategies.

Ransomware During the Pandemic Crisis

It is really astonishing how quickly the word “pandemic” has evolved from a subject of obscure computer games to the center of everyone’s daily conversations… However, when discussing the latest news about the coronavirus outbreak, one should not forget another pandemic that’s been causing massive damages to businesses, governments, and individuals around the world for several years already.

Since its initial emergence in Eastern Europe about a decade ago, it has quickly evolved into one of the largest global cyberthreats, crippling hospitals and entire cities, bringing large corporations to a total halt, costing the world billions in economic losses. We are, of course, talking about ransomware.

What is ransomware anyway?

Actually, the answer is directly in the name: ransomware is a kind of malicious software that’s designed to prevent you from accessing your computer or specific files on it until a ransom is paid to the attacker. Usually, ransomware is disguised as a legitimate document or program, and users are tricked to download them from a website or to open as an email attachment.

Most modern strains of ransomware encrypt valuable files, such as office documents and images, on affected devices, others merely lock the victims out of their computers – both however demand a payment to restore the access.

Contrary to the popular belief, ransomware attacks are not diabolically clever creations of elite hacker groups: since they don’t need to evade detection for a long time to achieve their goal, even novice cybercriminals can launch successful ransomware attacks with minimal resources.

Ransomware evolution

Early ransomware types were usually limited to a narrow geographical region, where attackers were able to collect their money via premium SMS messages or even prepaid cards. However, the explosive growth of anonymous cryptocurrencies like Bitcoin made them the perfect tool for much larger global extortion campaigns.

Within a few years, ransomware has become a highly lucrative business for cybercriminals, providing high reward and low risk with minimal investments. Many criminal groups even offer Ransomware-as-a-service, where the earnings are shared between malware creators and their “affiliates”.

Things turned ugly in 2017 when several strains of ransomware appeared, which utilized a highly dangerous Windows exploit believed to be developed by the NSA and later leaked by a hacker group to spread across computer networks without any user interaction.

WannaCry attack has affected over 200,000 computers across 150 countries including the entire British National Healthcare System. NotPetya malware, originally targeting Ukrainian companies, has spread uncontrollably around the world within days, affecting many large enterprises: the shipping company Maersk alone estimated their losses to be around $300 million.

Ransomware was no longer just a lucrative criminal business: it has turned into a cyberweapon of mass destruction.

Ransomware identification

As opposed to most other cyber threats, ransomware manifests itself within minutes of the initial infection. Whether you have clicked a link to a malicious website, opened a suspicious email attachment, or were affected by a drive-by download (such as an infected online ad), at the moment when you see a note on the screen telling that your computer is blocked or your files are encrypted, the damage is usually already done and the only thing you can do is to try to minimize it.

First, don’t panic – not all such notes are a sign of real ransomware, especially if they appear in your browser. Check whether you can still switch to a different program or browse a folder with your documents. If not, you might be a victim of locker ransomware.

If you can still browse your documents, but cannot open any of them because of data corruption, it might be a sign of the worst-case scenario – your files are encrypted and the only way to get them back is to pay the ransom. At least that’s what the attacker wants you to believe.

Dealing with a ransomware attack

Whether you decide to pay the ransom or not, your first action should be disconnecting your computer from the network and external drives: you really don’t want ransomware to spread to other devices or cloud services. It is also advisable to take a photo of the ransom note – this will help identify the malware strain that hit you.

Should you pay? Most security experts recommend against it: not only there is no guarantee to get your documents back after paying, but this will also encourage more ransomware attacks in the future. However, if critical business records are at stake, and you do not have any copies left, paying the ransom might be a sensible (even though morally questionable) option.

It cannot be stressed enough that you’re not alone against the attacker in any case: there are multiple resources that will help you identify the specific type of ransomware, let you know whether the encryption can be reversed and provide additional guidance. Of course, every notable antivirus company offers its own tools and services to deal with ransomware attacks as well.

However, in many cases, the only viable option left to you is to cut your losses, do a clean operating system reinstall on your device and to restore any available files from a backup. Before doing so, however, check whether your backups weren’t encrypted, too.

Finally, it’s highly recommended to submit a report to your local police. This is not just necessary for filing an insurance claim but will also help the authorities to stay on top of malware trends and might even help other victims of later attacks.

Protecting against ransomware

If the scenario above looks too grim then by now it should be clear to you that the most painless method of dealing with ransomware attacks is to prevent them from happening in the first place.

Arguably the most important preventive measure is to have proper backups of all your documents. A popular rule of thumb is to create three copies of your data, store them on two different media, and keep one copy off-site. And, of course, you have to actually test your backups regularly to ensure that they are still recoverable. Having an off-site backup ensures that even the most sophisticated ransomware that specifically targets backup files won’t render them useless.

However, backups alone won’t save you from locking ransomware or from the latest trend of “ransomware doxing”, when attackers threaten to publicly reveal sensitive stolen data unless the ransom is paid. It is, therefore, crucial to keep your users (employees, colleagues, family members) constantly informed about the potential threats. They should be trained to always check the addresses of incoming emails and not blindly click on any links or attachments. More importantly, however, they must be provided with clear actionable guides for dealing with a ransomware attack on their computers.

Endpoint protection solutions are the primary line of defense against ransomware, but the exact capabilities may vary between different products. Modern solutions rely on behavior analysis methods (sometimes powered by machine learning) to identify and block suspicious encryption-related activities before they damage your documents. Others will transparently keep copies of your original files and revert any malicious changes to them automatically. Even the Windows Defender antivirus that comes bundled with Windows 10 now provides built-in ransomware protection – however, you might want to check whether it is enabled on your computer already.

Keeping your operating system and critical applications up to date with security patches is another key prevention measure. Remember, the only reason why WannaCry was so devastating is that so many companies did not apply a critical Windows patch in time after it was released months before the attack. Besides Windows itself, applications like Internet Explorer, Adobe Flash, and Microsoft Office are notorious for having the most commonly exploited vulnerabilities.

Finally, a word about the cloud: there is a popular belief that keeping work documents in a cloud storage service like OneDrive or Dropbox is an efficient preventive measure against ransomware attacks. To be fair, there is a grain of truth in it. Most of these services have built-in versioning capabilities, allowing you to restore a previous version of a document after it gets corrupted by ransomware. Also, if your computer is locked, you can easily continue working with your document from another device (or even from a remote desktop session if your company uses a virtual desktop infrastructure).

However, these considerations only apply if you are not synchronizing your cloud files with your computer: those local copies will be compromised by ransomware and then automatically copied to the cloud in a matter of seconds. Remember, file synchronization services are not a replacement for a proper backup!

Ransomware during the pandemic crisis

Looking at the latest media reports, it seems that many workers are going to work from home for a substantial period. How does it affect the overall resilience against ransomware attacks? Recently, several large cybercrime gangs have publicly promised not to target healthcare organizations during the pandemic. Also, staying away from corporate networks might substantially slow the spread of malware from one device to the others.

However, security researchers are already reporting an uptake in malicious attacks exploiting coronavirus fears. Also, even for every slightly altruistic cybercriminal, there are at least a thousand of others without ethical reservations. For individuals working from home, especially when using personal devices not protected by enterprise-wide security tools, the risk of becoming a ransomware victim is, unfortunately, higher than ever.

For an alternative to office-based security gateways, companies should look at the security solutions delivered from the cloud, especially those that do not require any additional hardware or software deployment.  However, the most efficient protection against ransomware is still your own common sense: do not open unsolicited email communications, avoid clicking suspicious links and attachments, stick to trusted websites for the latest news. Remember, your cyber hygiene is just as critical for your security as literal hygiene is for your health.


KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

Subscribe to our Podcasts

KuppingerCole Podcasts - watch or listen anywhere

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00