Senior lecturer warns more accountability needed to restore trust in State assets, wider acceptance of technology

The University of the West Indies (UWI) Mona’s Department of Computing says it stands ready to assist the Government with securing the embattled JamCOVID19 website and app. 

Software security lecturer, Dr Curtis Busby-Earle, in a recent interview with Our Today, said that while the Government has not sought assistance from the department, it is uniquely qualified to address the challenges associated with the platform.

“As far as I am aware of, no they have not [reached out] but that would be one suggestion. We are here to assist. We not only have members of staff whose research and experience are in the area of cybersecurity but we also have those whose area of expertise is in software engineering,” he said.

Amid the JamCOVID19 controversy, it is likely to be an uphill task to convince the Jamaican public to buy into the National Identification System (NIDS), with Busby-Earle explaining that the repeated security breaches could have damaged the State’s tenuous reputation.

“It certainly isn’t flattering because the nature of the website in question holds a lot of sensitive data. And [with] the recent passage of the Privacy Act—and the immense commitment to ensuring the privacy of its citizens—on top of all of the concerns that have been expressed by the citizenry about NIDS and the associated information that will be stored, I think it could be pretty damaging,” Busby-Earle told Our Today.

“Of the recorded and written responses I’ve seen, [the Government] seems to be taking some responsibility but past that I haven’t seen, in my opinion, something that would show or demonstrate there is some more accountability for what happened,” he added.

Despite the controversy, Busby-Earle explained that there is a path to redemption for JamCOVID19, which depends on government action as well as a commitment from developers Amber Group to get it right.

“There is a road to redemption; it can be fixed but to fix it would require a lot more effort on the part of the developers,” he opined.

The senior lecturer added that, based on the reported three-day span it took to develop the application, such a short period possibly signals little set attention to secure the platform. 

“Even if that was simply the front-end—what is seen by the user wishing to utilise the services of the application—when people knowledgeable of cybersecurity see that, it’s a beacon because it suggests not enough effort would have been placed in developing the application with security in mind,” Busby-Earle contended.

“Why? Because developing applications, even for a website, entails a number of phases which would include considering potential security [holes], breaches or ways people might try to access the data or try to use the application in ways not designed,” he added.

From that perspective, Busby-Earle continued, JamCOVID could chart its path to redemption. 

“You would have to revisit how the application, in its entirety, was developed, then implement changes based on the findings of what may not have been done as the application exists, and then, take that information and rewrite the application. The most important aspect would have been developing requirements [before], and not what we’re seeing now, as a consequence of trying to patch holes that have been discovered after the fact,” the lecturer told Our Today.

The software engineering researcher argued that Amber Group’s statements of the breaches being ‘immediately rectified’ were premature in light of further lapses revealed by online media outlet TechCrunch, including over 500,000 quarantine orders exposed on the platform. 

“To state that all the issues had been addressed sounds a little too preliminary a statement to make at the time, and that is supported by the fact that other issues have been raised. You’ve seen two others and I believe there are likely others that have not been reported,” he said.

In the meantime, Busby-Earle told Our Today that a public education initiative would be an excellent step in the right direction to sensitise the Jamaican public on the importance of protecting their digital identity. 

“In many instances, I think openness and transparency is a good approach to take, certainly with regards to what has happened and continues to unfold. Contacting persons who [the government knows] were affected is a good start but I feel it could be taken a bit further,” the senior lecturer explained.

“I certainly agree that trying to instil a greater awareness of cybersecurity with the Jamaican public is an excellent idea, especially as the Government plans and approaches incorporating technology at a deeper level to provide better services to the citizenry. But, coupled with that, the improvement of the knowledge of the average Jamaican citizen of what some of the things they ought to be concerned and aware about should also be an integral part of that process,” Busby-Earle added.