Data Privacy Issues Surrounding The Pandemic
There’s been a lot of buzz lately about utilizing people's location data on their smartphones to notify them when they’ve come into contact with someone who has tested positive for the COVID-19 coronavirus. Contact tracers is also becoming a hot topic, according to Dr. Adriana Sanford, a senior fellow with the Center of Intelligence and National Security at the University of Oklahoma. Sanford was the guest on this week’s edition of Task Force 7 Radio, with host George Rettas, the president and CEO of Task Force 7 Radio and Task Force 7 Technologies.
“This is very interesting because it has the ability to say, ‘Hey, George, you went for a walk today and we noticed that your iPhone was very close to another iPhone for several seconds. And if that iPhone was close to another iPhone for several seconds, we are going to record that you are in contact with that person,’” Sanford said.
If a person spends a few seconds in close range to another iPhone, it will record that, she added. “Later on, if there's somebody that you were next to that tested positive, there is a way for them to reach out to everyone else including you, to say, ‘Hey, this person tested positive. You may want to isolate yourself or you may want to get checked, you may want to notify others.”
This is a new app being worked on in a joint partnership between Google and Apple, Bluetooth-based contact tracing system, Sanford said. “They're saying basically that they can keep track of the spread of the infection without compromising location privacy,’’ she explained. “Location data is being used … by several countries [such as] Taiwan and Israel.
How Much Weight Do Privacy Laws Carry During Coronavirus?
Rettas noted that Europe is also tracking residents' phones for Coronavirus research and said that it “sounds reasonable … this information is probably helpful to track the spread of the virus” in countries like France and Italy, Spain, and even Germany, which is known for having strong privacy laws, he said. He asked Sanford for her thoughts on what Europe is doing to privately share location data to help scientists study the virus' spread.
Sanford said that it’s important to figure out where people are located and how people come in contact with the virus. “Location data is gold right now and this is creating issues. People are concerned as to whether they can share this information,’’ specifically because of the GDPR.
In the U.S., the California Consumer Privacy Act (CCPA) is now a law, although it is not being enforced until the summer, she said.
“Location data is something that before the Coronavirus was an issue, that was closely examined as to whether or not location data is considered personal information; is it personally identifiable?”
There is debate over this, Sanford said, with some people arguing that location data has no names attached to it. “But the concern is, if you are regularly monitoring an individual and you know the time they go to work, the time they come home, and this is on a frequent basis, you can tell who that person is.”
Sanford said it’s important to consider where else this information could end up and how accurate it will be.
“There are some concerns that are posed as this continues to develop, but they're trying to find a way to be able to notify people quickly if they have been in contact with someone that tested positive, which of course, we all would like to know,’’ she said.
Data is collected through someone’s IP address, their mobile device when they use free public Wi-Fi in stores or if they give out their zip code, she noted. “But the fact is up until now, there were some issues with this and Google had some GDPR violations because they were not allowing a clear opt-out procedure for users.”
Rettas commented he recently interviewed New Jersey Governor Phil Murphy, who said that when he made decisions about restricting movements of certain citizens, he didn't have the Bill of Rights in mind. “Maybe there is something out there that gives governors these wide powers to take away freedoms in certain situations,’’ he said. “But he didn't know what they were and he wasn't able to articulate them at the time.”
Sanford said she believes that because of the CCPA in California, “the residents have a stronger right to privacy than in the rest of the United States. And that right to privacy is pretty significant. It's actually larger than what we have with the GDPR. Under the CCPA, CA residents have the right to know about trends, predispositions, attitudes, abilities, and aptitude, in addition to the right to know when your information is being shared or collected.”
Rettas pointed out that in China, police officers wear devices on their helmets that check the temperatures of citizens walking down the street. “And some companies here in the United States have started requiring temperature checks of their employees at building entrances to prevent the spread of the Coronavirus through their organizations,’’ he said. He asked Sanford for her thoughts on who has the right to know the temperature of another American citizen during a pandemic?
“Right now, this new normal is not normal,’’ Sanford replied. “And I think everybody is questioning exactly what the process is and where we're going. With regards to temperature checks, right now companies, employers are doing their best.”
If temperatures are being taken, who has the right to know that information and under what grounds? “The answer is that depends on a lot of factors,’’ like who is doing the asking, she said.
Also, “you need to figure out how much information you're going to give that third party because it better be very minimal,’’ she said. “The laws have not changed and the laws are not lax with regards to sharing.”
Whomever is collecting the information has to share it with that CA resident to whom it was disclosed and all the details, Sanford said.
Rettas also pointed out that if you have been in a place with a high infection rate, people are being asked to provide proof that they've tested negative for the coronavirus before they can go back to work. He asked Sanford about the legality of that.
“Think about how hard that is -- how many people want that test and can't have it? There are not enough tests out there,’’ she said. “To require you to have the test prior to returning to work is really, almost like telling people right now you have to wear masks as well, but there are no masks to be bought, so people are wearing bandanas.”
Requiring somebody to take a test means that that test needs to be readily available and it's not, she said.
Legal Ramifications Of The Coronavirus
The coronavirus has also prompted a slew of lawsuits both in the U.S. and overseas, Rettas said.
Many are coming from cruise lines not letting passengers off and being trapped at sea with the virus spreading within the actual cruise ship, Sanford added. There are also issues with insurance companies not paying claims and suits involving employers forcing employees to work, she said.
“McDonald's had an issue where the employees started protesting and did not want to go back,’’ she said. Gun owners are claiming they are essential businesses and in Florida, wrestling has been deemed essential business, Sanford noted.
Rettas asked what happens if a business learns that an employee or a customer has tested positive for COVID-19 and how much do they need to share with other people?
“Well, what we're talking about here is a balancing between protecting public health and protecting privacy,’’ Sanford replied. “And what are the concerns that we have with privacy? Why is there a concern with information being shared?”
That person could face discrimination, isolation, retribution if other individuals know that their information and their identity is revealed, Sanford observed. “To the extent we know that somebody has tested positive, their employers do need to share so that we don't have further spreading, but they need to take care and provide only minimal information; whatever is necessary in order to protect them, but not overshare.”
She stressed the importance of knowing who is asking for that information.
“If a third party comes in, you really want to check and make sure that it is a formal, actual request so that you have a legal obligation” to share, Sanford said. “And it's a lot easier to share this information if it is the federal government asking or a state agency but be careful. Tailor what you're saying.”
The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub.
To listen to this and past episodes, click here.