Will COVID-19 Test Privacy’s Limits?

Wash your hands regularly.
Keep a social distance from others when out in public.
Change your work habits by working from home or wearing a mask… assuming you can continue to work at all.
To say COVID-19 has been world-changing is an understatement. The deadly pandemic is a shoo-in for the Times 2020 cover story. It's shut down entire countries in struggles to keep it contained. It’s overwhelming healthcare systems, with a rising death toll that is no joke. Until the discovery of a cure, we're all running on crisis plans.
Change and challenge are in the air; there's no exemption for privacy. There are significant new problems that the industry is now asked to address. New norms as organizations rush digital transformation. More requests for using health data, and who should have access. Rising threats risking more data breaches. Advanced technologies in development for pandemic response that could process personal information. Here's a taste of what your local privacy and security professionals are keeping an eye on.

Privacy and Online Education

Do you have children at home? Thanks to COVID-19, parents are rediscovering the world of homeschooling. Schools are now closed in many areas, including entire provinces of Canada and States in the United States. Teachers have flipped to delivering online lessons for digital learning. Popular tools include Google Classroom, Zoom, and district-sponsored software. In Ontario, a Learn at Home Website directs parents and teachers to online resources. These include guides, games, and the province's Virtual Learning Environment.

But this digital switch is coming with hidden costs: lack of socializing, the mental health of all involved, and yes, student privacy. In order to deliver online learning, tools may need access to child personal information. This can include names, addresses, habits and photos or video recording. Yet safeguards on this information are not guaranteed.

Writing for Human Rights Watch, Hye Jung Han states:

"Children’s education data are far less protected than health data. Many countries have regulations that govern the appropriate uses and disclosures of personally identifiable health data, even during emergencies. "

What should parents be aware of?

Privacy watchdogs are right to worry. There's a lot that can go wrong. Zoom has hit the news frequently for privacy faux-pas, including attackers photobombing classrooms. A naked man using Whereby crashed the video call of students in Norway. Speaking with the Washington Post, Alberto Carvalho, a public school superintendent, says security is a big worry. "“Trust me, online predators are aware of what is happening around the country, and they are aware that children of all ages are somehow connected."

Even if the tool is secure, there are concerns on how they're in use, and accidental exposures. Videoconferencing calls transmit more than the student's voice. They can also pick up actions and sounds in the background, including the private conversations of family members. The Ottawa Citizen reports on school boards setting up guidelines, or rules for the use of online tools. At the ACLU, there's significant worry using how online learning tools to snoop. "Some of these products troublingly enable EdTech companies and schools to spy on students despite no evidence of wrongdoing — a practice that further exacerbates the over-disciplining of students of color." Some state and provincial laws might prevent this, but it's a hit or miss across jurisdictions.

Privacy and Contact Tracing

Could technology tell us if we've been in contact with a COVID-19 carrier? Could it help loosen social distancing restrictions by telling us where, or whom, to avoid? Contract tracing, the ability to discover potential carriers of a disease isn't a new field. It involves tracing a virus by speaking with those infected and retracing their steps. Where did they go, whom did they speak with? Using this information, investigators can develop a network of where the virus has been, and alert potential new carriers.

Traditional contact tracing however, isn't without flaws. As David Coldeway with TechCrunch states, it means relying on the memory recall of individuals in a stressful situation. Even the best interview may miss key interactions or locations where the virus could spread. Technology, in theory, could help with this process, even speed it up. Instead of relying on witnesses, tech can trace data to show past interactions and locations of infected parties. Already this practice is in place.

Successful Case Studies?

In South Korea, contact tracing is in force, under the Infectious Disease Control and Prevention Act. Writing for the New Yorker, Max Kim notes that officials must now publish information on disease spread. This is information can include "infected people’s travel routes, the public transport they took, and the medical institutions that are treating them."

South Korea's success has other countries eager to adapt the practice. In Australia, officials are eyeing TraceTogether, an app in use by Singapore. Ireland is banking on CovidTracker. Giants Apple and Google are coming together to create a Bluetooth contact-tracing app. For developers, it's a race for whom can come up with the best solution first. This isn't business as usual after all: the world is in a crisis. Loved ones are dying. Entire families are loosing sources of income. If an application can reduce spread, it's worth serious consideration.

What could go wrong? Plenty, unfortunately.

For those privacy and security professionals, turning to technology to reduce COVID-19 can't be a rush job. There are serious questions over the protection of the data and its use.

To begin with, nothing but the best security will do for any app entering COVID-19 response. Whatever platform makes the cut will be a mark for hackers. Writers for Bloomberg Law remind readers that applications like those in development by Apple and Google create "a tempting target for cybercriminals looking for sensitive health data to find out who’s been infected with the coronavirus.” Already, there's a question of if users will even trust the platform. Ontario Canada, looking to develop a new data platform called Panthr for COVID-19 response, has been clear to developers. Ted Fraser with The Toronto Star asserts government views privacy and security as must-haves. Requirements for partners accepted into the project include "creation of a cybersecurity advisory body, an ability for the province to audit the project, and a pledge that the data of Ontarians will remain secure “at all times.”

How Long Will Trackers Be in Use?

Yet even if the data is fully protected, there's still privacy concerns. What will the data be used for? How long will applications be tracking? How long will they hold information? Presently, governments assure residents application of new tech will only be temporary, to halt the flow of COVID-19. But that's an awful lot of power, and the temptation to keep using the data may be too much. Writer Stilgherrian for ZDnet puts it best: "Once governments gain certain powers or access to certain technologies, very rarely do they hand them back with a friendly 'Thanks, we don't need that any more'. In fact, the opposite happens. There is always scope creep."

In South Korea, where contact tracing is already at play, officials find themselves walking a fine line. There have been instances where information releases identified individuals, leading to online harassment. Israel parliament has stopped use of a COVID-19 tracking platform. According to committee member Ayalet Shaket, the privacy violations outweigh the benefits. The balance of trying to protect residents without adding new harms makes for a tough problem.

Security Specialists Can't Get a Break

Industries all over the globe are taking a hit, but there's one that's still booming: cyber crime. According to Phil Muncaster, hackers are busier than ever, with attacks up since February. Layoffs and social distancing sanctions mean recreational hackers have more time at home to play. The COVID-19 crisis is also a new attack vector for professional cyber criminals. People are fearful and anxious, making them more susceptible to scams.

What are some examples of attacks? Faulty texts with malicious links stating victims have been on contact with COVID-19 cases. Fraud disguised as sales of personal protective equipment. "Some fraudsters have tried to fool people into clicking on malicious links promising Canada emergency response benefit (CERB) payments," writes Catherine Tunney with CBC.

A Bigger Problem Than 'Hackers Gonna Hack'

Compounding to the struggle, are organizations working under different security environments than before. Offices are shifting to remote work for the safety of employees and to meet government mandates. It's a good call, allowing social distancing while keeping operations moving, but it can also cause complications. Security teams have less control over household information safeguards than at the office. How are staff accessing internal materials? Are they using secured networks? If using a home computer, what system? Is anti-malware installed? Are all systems patched and up-to-date? What about vetting the security of new tools for remote work? Suddenly information internally protected is at higher risk for exposure. As Mark Gaudet expressed to IT World Canada, remote work is a challenge for security.

Combine more attacks with less safeguards and it doesn't take much to add up the peril for personal privacy. As the pandemic continues what will the number of data breaches look like? How many systems will get compromised in the lockdown? With all that's happening, a digital disaster is the last thing organizations need. But for those not ready to put priority on safeguards, it's likely a struggle many will need to deal with.

Can You Control a Virus Without Controlling People?

As cities work to quarantine and reduce spread, there's another concern: how to enforce lockdown? Sadly, not everyone ordered to stay at home will do so. Asymptomatic individuals may not be aware they are carriers or see the point. Some chafe at restrictions, doubting their health is in jeopardy. To counter, many governments are increasing law enforcement powers as part of the emergency. But this brings another problem into play: how safe are we if in a state of surveillance?

Street checks for individuals violating social distancing are becoming more common. In Waterloo, Canada, police can check a database if an individual has tested positive for COVID-19. The policy met approval by the Waterloo Regional Police Services Board according to CBC. On Twitter, the Ontario Provincial Police remind it is an offence for failing to correctly identify yourself to an officer. Will all these checks really be limited to emergency protections?  Speaking with the London Free Press, CCLA executive director Michael Bryant voiced concerns. “It’s almost definitely going to lead to a measure of racial profiling and a lot of unlawful and unconstitutional behaviour by police.”

The challenge isn't only Canadian. In Westport, Connecticut, police are testing drones to confirm individuals are social distancing. Writing for Futurism, Victor Trangermann details how the drones can test for temperature and heartbeat. In United Arab Emirates, 'smart helmets' for police now scan for fevers. Similar technology has been in place in China since February. The question is, how long are these changes here to stay? Commenting for Business Insider, Darren Byler, a technology expert specializing in Xinjiang, remarks the cat may now be out of the bag. "I suspect some of the measures surrounding the coronavirus outbreak will continue to be implemented even after it is over."

Tip of the Iceberg

There's more, much more, that could be discussed here. The Washington Post is now reporting on 'tattleware' that employers can use to invade the home office privacy of staff. Infamous facial recognition company Clearwater AI is rumoured to be putting its own federal bid in as a virus contact tracer. Privacy commissioners around the world, are issuing developments outbreak. Statements are from countries including Canada, the United Kingdom, Germany and New Zealand. Senators in the United States are planning to introduce a new privacy bill. This might sound like a good thing, until reading the fine print. A report from the Verge suggest it's actually more likely to hurt privacy protections. The reality is, when it comes to COVID-19, it's a challenge trying to keep afloat of all the new threats to privacy coming out of the woodwork.

Hold on to your hats, the fun is just getting started.

Posted in Aware, Privacy and tagged , , , .