In many ways, COVID-19 has brought the world to its knees. Unique and potentially severe risks to privacy are just one of the pandemic’s devastating consequences.
As advisors at McKinsey and Co. recently pointed out: “During the pandemic, government authorities and companies have had to balance two priorities—protecting public health and protecting personal privacy. Some measures designed to limit the spread of the virus and potentially save lives could also have serious human rights implications.”
Three serious data privacy risks are in the spotlight as the world battles the pandemic:
- the inadvertent or deliberate exposure and misuse of personal data being collected to support contact tracing
- inappropriate access to corporate data, due in part to changes to corporate networks and systems to permit remote work access, and in part to remote workers’ home networks and devices on those networks expanding the ‘attack surface’
- the identification of individuals with COVID-19 from case reporting data shared by health organizations and others, including employers.
This article focuses on contact tracing. We explore the cybersecurity risks here. About the third issue, the International Association of Privacy Professionals (IAPP) warns: “While understanding that certain data sharing practices during the pandemic are legally necessary (e.g., hospitals or testing centers that share data with public health authorities) or can play an important role in advancing public health (e.g., making data available to researchers), organizations should also be cognizant that sharing the names of people who have had or recovered from COVID-19 presents a privacy risk for them. Even if that data is anonymized before being shared, the risk of re-identification and subsequent privacy harms can remain.” The issue is here is that anonymization of data is rarely done well and can’t be considered safe without strict controls.
A close look at contact tracing and privacy harms
Contact tracing involves gathering information about the people with whom a confirmed case of COVID-19 might have been in contact, and the places they have been. The World Health Organization defines contact tracing as the “process of identifying, assessing, and managing people who have been exposed to a disease to prevent onward transmission … [with the goals of] detecting cases early, improving early isolation of contacts, reducing community and healthcare-associated spread.” The WHO regards contact tracing as a critical weapon in the fight against COVID-10, and most countries around the world are using it in some form, with varying degrees of success.
Contact tracing can be done manually or with technology. Technology assisted contact tracing (TACT) includes apps such as Australia’s COVIDSafe, Canada’s ABTraceTogether, and Germany’s Corona-Warn-App. The US has some state-level contact tracing efforts in place, including for schools, and in May 2020 Apple and Google released a collaborative API based on detection of Bluetooth signals, which can be used in public health authority contact tracing apps. (As an aside, the Apple/Google collab has a lot of privacy controls built in and they made the design pubic. Unfortunately, most of the US Government’s contact tracing apps do not use this Apple/Google technology and have ‘gone it alone’ instead. This can lead to lower adoption rates and therefore lower usefulness.)
But largely it’s not the government developed or sanctioned contact tracing apps that leave people exposed and at risk so much as the casual and ad hoc collection of personal data at hospitality and other venues to support contact tracing efforts. Governments know they must abide by their countries’ privacy law and there is independent scrutiny around their operations from journalists. The ad hoc collection, on the other hand, is highly distributed across many small operations and is being conducted by people with little to no training in handling personal data.
Most commonly, these venues ask customers to scan a QR code and submit their details at a web site, or to write their contact details, including name, phone number, email address and residential address, as well as time of visit, on to a single sheet of paper or a log that sits in a common area such as on a counter or at a central checkpoint within the venue.
The privacy issues here should be obvious—and unsurprisingly, experts in the UK are warning of a “mass violation of rights” after some companies reportedly sold the customer data collected by pubs and restaurants on to third parties such as marketers, credit companies and insurance brokers.
The Times notes the concerns in the UK do not relate to the official NHS COVID contact tracing app but rather to data collection firms violating NHS Test and Trace Scheme guidelines for the storage and use of collected data (some of these firms have created privacy policies allowing them to retain the data for up to 25 years).
The article describes how the privacy policy of one firm, which user have to accept, explains how personal data of people accessing its website can be used to “make suggestions and recommendations to you about goods or services that may be of interest to you” and shared with third parties including “service providers or regulatory bodies providing fraud prevention services or credit/background checks.” It may also “collect, use, store and transfer” records of access to certain premises including “time, ID number and CCTV images”.”
Also in the UK, there are reports of some venue staff using the personal information to harass patrons, and of data being used in scam contact tracing activities in an attempt to defraud patrons. Australia reports similar data concerns.
COVID-19 scams are a growing global problem. The IAPP reports: “COVID-19 has proven to be one of the most effective phishing lures of recent years, as epidemics and health scares tend to provide fertile ground for social engineering attacks.”
As of May 2020, the US Federal Trade Commission (FTC) had received 60,000-plus reports of fraud related to COVID-19 and individual losses from these scams came to around $44 million. The FTC says most scams relate to travel/vacations, online shopping and health care. People working from home and college students are also targets. Scammers impersonating public health authorities is a common trick, where these criminals claim to be conducting contact tracing for COVID-19 and ask for personal information or send a malicious link via text to the victim. The US Federal Trade Commission has published advice on how to recognize and deal with COVID-19 scams.
It’s important to understand that the data privacy issues from contact tracing don’t only put the personal safety of individuals at risk, they damage customer trust in venues and brands and this may be difficult to claw back. A separate issue is whether such data collection surveillance contravenes privacy regulations.
Contact tracing and the GDPR
Some argue that contact tracing efforts, particularly the Apple Google API, are a ‘stress test’ for the General Data Protection Regulation (GDPR) and other privacy and data protection regimes. Four principles of the GDPR apply to the COVID-19 contact tracing landscape: data minimization, purpose limitation, transparency, and the burden of responsibility on organizations to sufficiently protect data against cyberattack and unauthorized sharing within the organization.
COVID-19’s impact on privacy regulations is an unfolding issue but advisors at McKinsey call it like this: “The GDPR is considered by experts to be one of the world’s strictest privacy regulations. The consensus among European regulators and the European data protection supervisor is that the current crisis does not nullify the GDPR, but that its rules are flexible enough to accommodate the emergency measures while keeping in place adequate safeguards.”
Watch this space.
How Anonyome Labs can help mitigate the data privacy risks associated with COVID-19
At Anonyome Labs, we believe the world has not yet seen the worst of the data privacy crisis prompted by the global COVID-19 pandemic. The virus landscape is changing rapidly and reporting on the full effects of the pandemic is in its infancy.
More optimistically, though, we believe that in the years following the COVID-19 pandemic, there will be an even greater focus on privacy especially from businesses recognizing that customers want their product and their privacy, and giving both to them makes excellent business. They’ll also see that affording customers greater privacy controls is as simple as building products with privacy by design and embracing enabling technologies.
We’re already making it possible through Sudo Platform for businesses to engage, onboard and continually interact with their customers without collecting, managing or risking their customers’ personal data. And we’re putting real power in the hands of individuals with our MySudo app, the world’s only all-in-one privacy solution. Speak to us to find out more.
See the important FTC consumer advice on how to spot and avoid COVID-19 scams: https://www.ftc.gov/coronavirus/scams-consumer-advice
