Contact Tracing APPs are they ethical?

Are Contact Tracing APPs ethical? Are you willing to give up your private data to help slow the spread of the Coronavirus? Check out what these experts have to say!

Contact Tracing is it Ethical?

Apple and Google have the capability that allows cell phones to communicate with each other. Contact Tracing Apps use this capability and have been developed to find and alert the contacts of people infected with the Coronavirus / COVID-19. As soon as someone gets sick with Coronavirus, the APP could alert you if this is someone you have been in contact with. Alleviating the length of time it takes for a real live Contact Tracer who is doing the tracing. Basically, this is widespread human GPS tracking, that presents many privacy issues involving potential data breach, information storage, and sharing sensitive personal data. Should sensitive medical information and individual locations be available on an APP? Do you believe this type of electronic contact tracing is ethical?

Check out this video to listen in on experts as they consider the amount of data that is being collected and what it means for your data when you download a Contact Tracing APP.

Video Transcripts Follow

Lee Neubecker (LN): Hi this is Lee Neubecker from Enigma Forensics and I have Debbie Reynolds back on the show, thanks for coming back Debbie.

Debbie Reynolds (DR): Thank you for having me, very nice to be here.

LN: So I’m very interested to hear more of what your research is regarding contact tracing apps, and what you think that means for individuals that might put these apps in their phone. Tell me a little bit about what’s happening right now with the industry and how contact tracing apps are working.

DR: Yeah, so Apple and Google created a capability so that phones can communicate with each-other via beacon. So that they can store information on phones, or have phones bounce off of one another, so that if someone downloads a contact tracing app or registers there, if anyone who also has the app, it will be able to trace back, y’know, how long they spent with certain people and tell them whether they feel like they may have been exposed in some way, and tell them either to quarantine or go seek treatment in some way, or get tested. So it’s pretty controversial, the contact tracing app, for a couple of different reasons. One is, people are very concerned about privacy, like giving their potential medical information to a company that’s not a medical provider, meaning that they’re not protecting the data the same way. Also, as you know, Bluetooth technology isn’t exactly super accurate in terms of the distance that you are from someone, so the delta, in terms of how accurate it can be, may be way off. It may be several meters off, the phone can’t tell if you’re six feet apart or whatever, so I think that they’ve tried to tune that up with this new API that they created, but still, based on the science, we don’t know that it’s actually accurate or not.

LN: So you could still have a situation where, if you put one of these apps on and you’re outside biking, and you bike within 8 to 10 feet of someone who later does have it that you’re getting notified that you have to quarantine on a false basis. That’s a potential outcome of using an app like that, correct?

DR: Yeah, but I think that the way they having it now is that it’s supposed to register you spent more than 15 minutes near that person, so, y’know.

LN: Okay, that’s good to know.

DR: But let’s say you’re parked in your car and someone’s parked next to your car, so you aren’t physically near, y’know, you aren’t in any danger from that person but you wouldn’t know, just because your phone says you’re close to them. They don’t understand the circumstance that you’re in, to be able to tell that, so. I think people are concerned about, a lot about privacy, them taking the data or how the app is actually going to work, and it’s going to work differently in different countries. So what they’ve done is create this API, this capability that’s put on everyone’s phone, and then if you download the app, the app which you use will use that API to actually do this beacon exchange on people’s phones. So, that’s kind of what’s happening right now, is different countries and different places are implementing it in different ways, and some are really pushing back on them because they don’t have really any good guarantees about privacy, or data breach, data breach is a huge issue.

LN: Yeah, I mean, our Government’s never had data in their custody compromised ever, right? wink..wink

DR: Right, that never happened, exactly, so-

LN: You’re having your maps of where you’re walking, your GPS records-

DR: Yeah.

LN:time of day, your movement and that is going to Google and Apple, and under certain conditions they’re passing that data on to the CDC or other entities, law enforcement, enforcement groups.

DR: Well their concern is that data, because it’s at a private company, will get merged with other things, like let’s say your insurance carrier, or your medical, y’know, you get dropped from your insurance because you have this app-

LN: You drive too fast.

DR: No because you have this app, and they think that you may have been exposed, or you’re a higher risk, or a bank doesn’t want to give you a loan or something, because you have this app on your phone. I’ve been hearing a lot of different scenarios people are concerned about. But I’m curious, from your perspective, in terms of how certain things are stored on phones. I know beacons is a really big idea, but maybe you can explain a little bit about how Bluetooth actually works?

LN: Yeah, well Bluetooth is a near band wavelength that allows for peer-to-peer networking. Bluetooth has been exploited in the past to be able to take over devices, so it’s, a lot of people don’t like to have their Bluetooth on continuously because you’re opening your phone up to potential attacks, cyber attacks, via Bluetooth. You’re also broadcasting, when you have Bluetooth on you’re also broadcasting your MAC address identifier, your Bluetooth unique address and there have already been issues where retailers in London at one time, they had kiosks outside that would track the shoppers and they’d know how long they were at certain stores, and they’d use that information to serve custom video ads to people as they’re shopping and walking by.

DR: Right.

LN: So there’s privacy implications and security implications of having Bluetooth on all the time.

DR: Yeah, and that’s a big concern. So I know when I first heard this, about them doing this contact tracing, I was wondering like how exactly would they get the proximity right, and because we have no visibility to that we really don’t know, right?

LN: No.

DR: So we just have to sort of trust the black box and see what happens, to some extent, but I, for me I think my opinion is that contact tracing is a profession, it’s not an app. So, there are people who do this as a profession, only, let’s see, 55% of people in the world don’t even have smart phones, so you’re talking about a capability that’s only for 45% of the people, and not all those people are going to actually volunteer to get these apps.

LN: Yeah.

DR: So it doesn’t really help to contact, for people who do contact tracing, except it adds another layer that they have to work with because they still have to track people whether they have cell phones or not.

LN: It’s interesting stuff, thanks for bringing that to our viewers’ attention and thanks for being on the show again.

DR: All right, thank you so much, I really appreciate it.

LN: Okay.

Check out these related Blogs

Energy Industry Incident Response

Energy is vital to our everyday life. Companies face a competing demand to preserve data and at the same time continue to function. Experts Lee Neubecker and Geary Sikich give advice on how to overcome these challenges.

The Energy Sector provides the global economy with oil, gasoline, electricity, wind and natural gas. An Energy Industry incident could be a physical attack on a power grid or a cyber attack that stops a company from functioning. The properly planned and orchestrated energy sector incident response will minimize or reduce recovery time and loss. Potentially saving lives! Enigma Forensics CEO & President, Lee Neubecker and Geary Sikich, Principal at Logical Management Systems, Corp. strongly urge all companies to create an incident response plan.

This is the final segment in the four-part series on Energy Sector Cyber Insecurity.

Part 4 of our Global Energy Sector – Incident Response

Energy Sector Incident Response video transcript follows

Lee Neubecker: Hi I’m here again with Geary Sikich, and we’re continuing with our final fourth part segment in this discussion about global cyber insecurity as it relates to the energy sector. And in this segment, we’ll be telling you a little bit more about some of the things that need to happen, related to the incident response of a data breach, for the energy sector. Geary, thanks for coming back.

Geary Sikich: Thanks Lee for having me. I think this is, probably one of those areas that are challenging to talk about.

LN: Yeah, certainly, and at the forefront, when things first go wrong, there’s a need to immediately take action to help preserve the data, and collect data so that it can be analyzed. But at the same time, there’s a competing demand for wanting the organization to function. And sometimes those two needs, create conflicts.

GS: Yeah, they sort of butt heads if you will. Yeah, I think the issue for a number of organizations, and I’ve experienced being in the kind of command center if you will, of organizations where their website had gone down. And it was, one of these where a lot of stuff was processed through the portals that they had there. Suddenly there was this pressure to get things back up, and then to look at, what is this costing us? Because now our customers cannot execute their orders and whatnot. And that becomes a challenge because it’s the urgency issue. The other aspect is that when we look at incident response, and this is a little bit different from the typical natural disaster incident response. If I’ve been breached in a cyber incident, how long is it before I actually realize that I’ve been breached? It may not happen very quickly, it could be very subtle. And things could be manipulated, and suddenly I’m in a situation like some of the big companies that had data hack, where all the sudden personal accounts of cardholders are exposed. Now, what do I do? So there’s a lot of not the only rapid response that’s needed, but a lot of consequence analysis that’s really needed.

LN: Is it?

GS: How do you do that and yet maintain, as you were saying, and begin to look at that.

LN: Yeah.

GS: From, not really a legal standpoint, but, from a defensive standpoint.

LN: Yeah, well there’s a lot that needs to happen in a short period of time, you have the collection and preservation. Which, forensic professionals are often called in, such as myself. To collect the data. Firewalls, servers, logs. Then you also have the analysis of that data to determine, what are the motivations of the attacker? Was it an attacker? Was it negligence? You know, oftentimes things go down, people assume it’s a cyber attack, external. It could be an internal attack, it could just be something as innocent as, I’ve seen a new system coming online that’s supposed to help back up and provide redundancy, actually reformat a storage NAS array, that it was supposed to help protect. So, these things can happen. And quickly understanding, making sure that data doesn’t disappear that could be used to rebuild is important And that’s where bringing in the outsider’s important because someone new coming in doesn’t have skin in the game. And, you really need that objective party, to help you figure out what’s happening.

GS: But I think that in that respect when you bring in someone from outside, they also have a vested interest in making sure that, from not only a reputation standpoint but also from the standpoint of the viability of their services, making sure that they’re helping to alleviate the issue. And to bring back some, equilibrium if you will. So there’s this issue of consequence management that comes to bear on those–

LN: And you have some conflicts that happen with having the people that were, kind of in charge of watching over the equipment, do the investigation. And that can cause some, serious problems to the organization. And it may be very well that, the attack wasn’t the fault of the people responsible for managing it. But, if for instance there was, an action that took place that might show some carelessness or mishandling of events by the people in charge of IT, there’s a real risk there that, that person might take actions that could result in further data destruction. In an effort to cover up, what had happened.

GS: So now in that respect, we need to protect, we need to begin to look at how we manage the data collection post-incident, or during an incident, if you will. There obviously some legal ramifications.

LN: Yeah well whoever does this might have to testify. And that’s another reason why having a third party come in to do this work is important. Because you may want, legal may want to know, “well before we put an expert up to testify in this, “just tell us what happened and how do we respond? “How do we get ahead of this?” If it was a problem with a vendor, you want to know that. Because the clocks ticking. You know from the time a data breach is confirmed, it is a real data breach and known, to the time it has to be reported, oftentimes its thirty days. So there’s not a lot of time, to wait around If your data breached before you get in your expert, your forensic expert to inspect.

GS: Okay, so we’ve got a legal consideration, that has to be looked at. Insurance today has changed in a lot of respects. So, business interruption insurance. Obviously, that’s a critical area because if you want to file a claim–

LN: Yeah you have to report it to the carrier, or even if you have cyber coverage, it might not be covered if you failed to notify the insurance company of the incident.

GS: So, when I look at that aspect and say, “I’ve got a business interruption policy,” you mention cyber. And now I know that there are other writers to those policies. Like for terrorism and things like that today. If I don’t have a cyber writer, which is a contingent business interruption issue, my business interruption insurance may not cover me, on something like that. So it really becomes more incumbent to have one, the knowledge, two, to be able to look at the legal considerations, three, to begin to understand insurance laws, what do I have from a coverage standpoint? Which is where the traditional risk management group comes into play. But IT’s got to coordinate with them, to ensure all that.

LN: Exactly, and I had Todd Rowe on my show, who’s an insurance cyber attorney, that deals with these coverage issues. So, that’s an excellent video to watch that delves into that more. The other things though with incident response, you know you have the potential PR issues that relate to being data breached. So really, you need to assemble your team, your in-house legal, your HR, your media advisor. Preferably you have a PR firm that has dealt with data breaches before. And then, you’ve got to put together a plan. And all this stuff needs to be going on in parallel. So while that’s happening, your internal people are probably trying to work on, getting their disaster recovery systems restored. You might even have an outside IT provider come in and help bring those systems back up online. The workload that happens when a data breach has occurred, is such that it really isn’t pragmatic or practical to try to have internal IT do all the work. And it also isn’t covered by insurance typically. The outside providers will usually be covered, but not the internal people.

GS: So, if from a structural standpoint, and I’ll draw this to the areas that I worked in many years back after some of the events in the energy industry. Oil spills and things like that. Where industries adopted what they called an incident command system. The United States now has the National Incident Management System. So with cyber though, the composition, in terms of that team, is not necessarily the same that we would see in a typical, incident command system as is generally presented. So from a functional standpoint, I think that there are some things that I would look at. One, somebody’s got to be in charge. Two, somebody’s got to look at planning. What’s going on, and future planning, what do we do? Three, operationally, what’s effected what’s not affected? How do we keep it from cascading? Four, a communications perspective. Internal and external. An administrative function, which looks at the financial aspects. An infrastructure function, which again, internal-external infrastructure. And then, the aspect of, you know, bringing this all together as a team. Your HR people, all these other things. So, yeah.

LN: That was an excellent wrap-up Geary. I really appreciate you being on the show. If you liked this video, please share it. And check out the other segments we did as well. Thanks again Geary for being on the show.

GS: Thank you, Lee. Very challenging to present on this topic. So much.

LN: Be safe.

Watch the other segments in our Cyber Insecurity in the Energy Sector Series.

Energy Sector Detection

Energy Sector Protection

Energy Sector Global Cyber Insecurity

Enigma Forensics related video blogs

Cell Phone Privacy

One can’t overstate how much of our personal lives we reveal to our smartphones and that includes criminals too. Watch this three-part series to learn more.

Introduction of our four-part series on Mobile Phone Privacy and Security.

Cell phone privacy is a real concern for both individual users and law enforcement. Literally, everything you do on your smartphone or any other device is vulnerable and completely defenseless against criminals and sometimes the government. Think about what you have on your phone and how it’s used on a daily basis. All of your personal contacts, photos, videos, text messages, emails, online bank or other accounts, GPS locations data, basically, your history of who, what, where, when and how about yourself all exist on your smartphone. We can’t overstate how much of our personal lives are revealed and how much our cell phones are vulnerable if disclosed to unauthorized parties.

Guess what? Criminals have cell phones too, and their information can lead to not only solving a crime but saving lives. Law enforcement agencies continue to call for access to encrypted communications and devices, while tech companies warn that doing this would weaken the protection and allow potential criminals to take advantage of that same access. Leading computer forensics expert Lee Neubecker, CEO & President of Enigma Forensics discusses the issues relating to cell phone privacy and the government’s desire to have a back door into your smartphone with the Data Diva, Debbie Reynolds of Debbie Reynolds Consulting.

Cell Phone Privacy: Part 1 of 4

The video discussion transcript follows.

Lee Neubecker: Hi, it’s Lee Neubecker again, and I have “the Data Diva”, Debbie Reynolds back on my show again.

Debbie Reynolds: Hi!

LN: Thanks for being on.

DR: Thank you, Lee, for having me. I’m happy to be here.

LN: So we’re going to try something new. Instead of doing a big long eight to ten-minute video clip, we’re going to do a multi-part series, and this one’s going to be on the topic of…

DR: Cell phone forensics and recent incidents in the news having to do with the government asking private companies to unlock or create back doors to cell phones.

LN: Yeah, so cell phone privacy is an issue that many people are concerned about There’s a legitimate national interest in being able to investigate when terrorists use cell phones to conduct attacks. But there are also some concerns that every business should be concerned about if there’s a single back door key because we know the government can’t keep their keys in place. At least that’s what happened to the FBI, the NSA, then other agencies that were breached following the OPM breach.

DR: That’s right.

LN: So in the first segment of our four-video series, were going to be talking about what was reported by the Inspector General’s report from the FBI involving the San Bernardino terrorists when they wanted to get into the cell phone.

DR: Right. And next, we are going to talk about the privacy issues related to the FBI or possibly companies creating back doors, the court issues, the key solutions, and also the imperatives of organizations or companies not wanting to create these types of vulnerabilities in their inventions.

LN: Then you’ll get to hear us banter a little bit about what we think should happen

DR: That’s right.

LN: And then finally, in our last segment, the Pensacola Navy Yard station shooting that happened just this week. The FBI again approached Apple wanting help to get into the phone because they haven’t been able to get into the phone, and they’re wanting to know who else was involved, who they were texting with and whatnot so that they can help prevent other such attacks. So, that will be the wrap-up, and we welcome your comments on the website, your likes, and feel free to check out our video and share it.

DR: Thank you.

LN: Thanks a bunch.

Watch the Next Segment on Cell Phone Privacy: Part 2 of 4 continued

More to read about Cell Phone Vulnerabilities

Computer Fraud & Abuse Act Charges Filed

Capital One Data Breach

Capital One Data Breach – Interview of Data Privacy & eDiscovery expert on the fallout

Cyber Security &  Computer Forensics Expert Lee Neubecker interviews Data Privacy Expert Debbie Reynolds on the fallout from the recently disclosed Capital One Data Breach that occurred following alleged hacking of the company’s data stored in the cloud.  Issues discussed include an assessment of how the CEO of Capital One managed the crisis, pending charges filed against Paige Thompson and the Computer Fraud and Abuse Act in the government’s complaint filed earlier this week.

Transcript of video follows

Lee Neubecker: Hi, I’m here today with Debbie Reynolds from Debbie Reynolds Consulting and we’re going to be talking today about the recent news involving the Capital One Data Breach Thank you for being on the show Debbie.

Debbie Reynolds: Thank you for inviting me. It’s such a thrill, you’re such a joy to be around to talk to so it’s great to do this

Lee Neubecker: Well it’s great to have you here. So, trial’s expected this Thursday in the case. Can you tell everyone a little bit about what happened this week?

Debbie Reynolds: So this week is in the news that Capital One had a data breach. There was a woman who used to be, I believe she’s worked Amazon if I’m not mistaken, who had found a vulnerability in Capital One’s cloud system, and was able to obtain private or digital information on over a hundred billion customers or potential customers for Capital One so as far as I can tell they say that she may have gathered social security numbers and other private information about individuals who had even applied, who may not even be customers of Capital One, who have even applied for a Capital One credit card back as far as 2005.

Lee Neubecker: Yep.

Debbie Reynolds: So the vulnerability that was discovered and part of the reason why it was discovered was because she had apparently bragged about it on Twitter and she used her real name and so they were able to pull this stuff together. And I think the SWAT team went to her house?

Lee Neubecker: Yeah, so she was using the IP, iPredator, which is supposed to anonymize and protect you. When she was using that she created her online GitHub accounts and other accounts and it had that IP, the iPredator IP address range in her profile linked to her name. So she wasn’t really being smart about it.

Debbie Reynolds: No. So yeah, I think that she was bragging about what she had, I guess she was proud of what she had done and apparently someone who had seen something she had post on some forum contacted Capital One. This wasn’t a breach in which Capital One found out about; someone from the outside said, “Hey, this girl says that she has your data” and now it’s a really big thing.

Lee Neubecker: Yeah so now she’s charged with a computer fraud and abuse act which I think she’ll probably end up …

Debbie Reynolds: Yeah.

Lee Neubecker: Do you think she’ll get a plea?

Debbie Reynolds: She’s probably going to go to the slammer. It seems like especially when the SWAT team showed up at her house, they’re definitely going to make an example out of her with this. It’s pretty bad because I think right now the reports and what’s coming out from Capital One are different than what she said or what other people said they have. Because at one point they were saying that Capital One in their statement said that certain people’s social security numbers weren’t breached but then we know that they did get people’s social security numbers.

Lee Neubecker: It was mostly Canadian social security numbers, around a million–

Debbie Reynolds: Right.

Lee Neubecker: And then I think it was somewhere around 100,000 or so U.S. citizens.

Debbie Reynolds: Right, exactly.

Lee Neubecker: So it doesn’t necessarily impact the entirety of U.S. customers, but it still is–

Debbie Reynolds: It doesn’t, it doesn’t make you feel good. Yeah so basically over a hundred million people were touched in some way, shape or form. Even though not everyone’s personal data was taken to the same extent as everyone else, but I think this incident illustrates for us a couple of different things. First of all, they were saying that they had credit card information or information on people who had applied for credit cards going back as far as 2005. I’m not sure if they can make a justification for why they even had some of that stuff.

Debbie Reynolds: It’s first place. Especially if and I wonder what rights someone would have if they weren’t actually didn’t translate to being a customer of Capital One. The law’s kind of murky about how they should do that. I guess that’s the same issue with Equifax where not everyone who was touched by Equifax are customers of Equifax, they just happened to have their data.

Lee Neubecker: What would, how would you have advised Capital One had you gotten in there before the data breach?

Lee Neubecker: You think you might have been able to–

Debbie Reynolds: Well, you know–

Lee Neubecker: Get them in a better situation?

Debbie Reynolds: I think a lot of corporations, my view is that a lot of corporations have this mindset or business has this mindset of does it work? Does the computer work? Can I do the thing I need to do on a computer? The question that they’re not asking is is it secure? So a lot of them have a blind spot in terms of securing things because as long as it doesn’t impact their ability to work, they don’t really care how it works. So now companies have to ask how does it work? Is it secure? A lot of companies have these issues where they’re moving from internal infrastructure to the cloud and we know that the cloud infrastructure would typically be more secure quote unquote than someone’s on premise infrastructure but that all depends on how it was configured. The vulnerability that this woman was able to exploit in Capital One had to do with how the permissions and things were configured on a cloud infrastructure.

Lee Neubecker: And she had worked in that environment.

Debbie Reynolds: Right. So she had a little bit of extra insight–

Debbie Reynolds: Exactly.

Lee Neubecker: In this process.

Debbie Reynolds: Exactly. But I don’t know if you probably run into the same thing where you’re having clients that have cloud issues and they may feel more secure in themselves. Okay, we think our native is more safe than the cloud, not to say that the cloud is not safe, but if we have someone who doesn’t know how to fill those gaps and stop those vulnerabilities, it could be a huge problem.

Lee Neubecker: What do you think of the CEO’s response from Capital One?

Debbie Reynolds: I saw CEO’s response. I don’t know, someone needs to do a series about this where you compare all the response letters from these data breaches or whatever.

Lee Neubecker: That’s a great idea.

Debbie Reynolds: Not a bad response at all. I think the danger though is there may be an issue with consumer confidence obviously because no one wants their data breached, but if the things that are being said by the CEO or other leadership it becomes evident that it’s different than what actually happened, that’s going to be a problem.

Lee Neubecker: Yeah, cool.

Debbie Reynolds: I think rushing, the desire is to rush. To put out as much information as you possibly can but already the news reports are contradicting what the company is saying about what was actually breached.

Lee Neubecker: Well the complaint is available, I’ll post that on my website as well. I read the complaint and there’s a lot of detail in there and you’re right, in the news story they’re talking about Amazon cloud, they talk about a company that presumably is a subsidiary of Amazon inside the complaint.

Debbie Reynolds: Right.

Lee Neubecker: But they didn’t specifically mention Amazon in the complaint.

Debbie Reynolds: No, no so it’s going to be customers when they feel like they’ve had a data breach they definitely want, you know there’s attention that has to happen where the company wants to be as forthright and forthcoming as possible about what’s happened, but the facts may still be rolling out.

Lee Neubecker: Yeah.

Debbie Reynolds: The drip, drip, drip of it all may be tough I think.

Lee Neubecker: But I thought at least it was good that they public acknowledged it. It didn’t take forever to acknowledge it.

Debbie Reynolds: Oh, right exactly.

Lee Neubecker: And apologize, I mean–

Debbie Reynolds: Oh, absolutely. It does goes a long way–

Lee Neubecker: They just did that so I applaud them for not–

Debbie Reynolds: Absolutely.

Lee Neubecker: Sitting on it like Equifax.

Debbie Reynolds: Right. They didn’t say, “Well I’m sorry that you were hurt or you felt hurt,” or something where it’s like oh yeah, you know there is harm there so you might as well acknowledge it and try to at least be forthright about what you know and we know it.

Lee Neubecker: And from what I read too, not all of the data, some of the data was tokenized but there were birth dates, there were some socials. Debbie Reynolds: Right.

Lee Neubecker: And some other information that certainly if that were you or me, well we’re kind of becoming used to this all the time. It’s sad, but.

Debbie Reynolds: Right, well I mean and what we’re seeing, what I’m seeing, what companies are trying to argue in the U.S. having to do with data privacy is if you put, let’s say you’re on Facebook and you say, “Hey, today’s my birthday!” You know so if Lee puts his birthday on Facebook, is Lee’s birthday private? So let’s say you’re a Capital One customer, they could argue you know your birthday is not private because you put it on Facebook. That’s going to be an interesting theme.

Lee Neubecker: Well thanks so much for being on the show today.

Debbie Reynolds: It was fantastic, thank you.

Debbie Reynolds Contact Info

datadiva at debbiereynoldsconsulting dot com
312-513-3665
https://www.linkedin.com/in/debbieareynolds/
https://debbiereynoldsconsulting.com/