Source Code: What matters in tech, in your inbox every morning
What are the biggest holes in data privacy that have been exacerbated by coronavirus?
Geolocation services, the mass adoption of niche tools and weak encryption top the list of concerns for experts in Protocol's Braintrust.
Chief Privacy Officer at Uber
One issue that has more visibly surfaced as a result of COVID-19 is geolocation data-sharing with government entities. This is not a new problem — cities across the world have been seeking specific location data for their smart city initiatives, for example, without specifying why they need granular data versus aggregated, anonymized or de-identified data. However, unlike the GDPR, privacy laws in the US typically do not govern the public sector, so government agencies can collect and use personal data like specific geolocation data in ways that a private company cannot. This issue is coming to a head now because the location data is also attached to sensitive health data, as governments seek to track the spread of COVID-19.
However, even in this urgent new situation, the collection of this data should be minimized and the benefit proportional to the impact on citizens' privacy rights. Further, the government should be mindful that any measures put in place for this health crisis should be temporary, and reduced and finally eliminated in tandem with the course of the health crisis.
International Policy Director at Stanford Cyber Policy Center; Member of European Parliament 2009-2019
Apps and data collection are not a magic wand in the race to find a solution to the devastating coronavirus. The push to do all it takes is leading companies to offer up far-reaching data access, and governments are willing to give it a try. Under pressure, everything becomes fluid. This is a trap we know from the responses to the 9/11 terrorist attacks, when an emergency led to unprecedented erosions of civil liberties. There are now hackers and security experts developing privacy-proof apps, but whether governments and companies will adopt those remains to be seen.
The inconvenient truth is that more access to data also conveniently helps governments control their people, and that technology companies seize the opening to stretch the boundaries of what is possible. The sad reality is that besides the erosion of privacy rights, apps may create a false sense of security, which can make people reckless at the moment they should be vigilant.
Lourdes M. Turrecha
CEO & Founder at PIX LLC
COVID-19 has exacerbated several privacy problems, but two in particular require highlighting:
First, from a societal viewpoint, we must be vigilant about the collection and tracking of sensitive health and location information without adequate safeguards in place. To grasp the gravity of this, we only need to learn from our last major crisis (9/11) and the resulting infringements of our privacy rights that were made in the name of national security. As citizens, we must demand that our governments avoid infringing our privacy rights in the name of this pandemic by busting the myth of the false tradeoff between privacy and public health. We only need to look at European use cases to figure out how to collect and use personal data to combat COVID-19 without sacrificing data protection. The United States' lack of a comprehensive privacy framework to govern this mass data collection and tracking is problematic, especially in light of the EU's GDPR and other existing models that we could learn from.
Second and technology-wise, the mass adoption of tools that were not engineered for privacy exacerbates a wide array of problems, ranging from children's privacy to hacking and surveillance. Thankfully, market and regulatory pressures are forcing tech companies to take privacy and security by design seriously. As consumers, we can play our part by demanding privacy and security engineered tools. Instead of accepting invasive tools as part of a transaction, we must treat privacy and security as central to product excellence and choose our tools accordingly.
Associate Director of Surveillance and Cybersecurity at Stanford Center for Internet and Society
We've seen an explosion of efforts to create location-tracking techniques to fight the spread of COVID-19. The mobile advertising industry is legally able to obtain location data from apps installed on users' phones, and then turn around to hand that information to federal or state government agencies or to private parties. This is a way for governments to "launder" the acquisition of location data, bypassing the use of legal process to obtain that information from cell carriers directly. While the information is aggregated and ostensibly anonymized, there have long been demonstrations of how easy it is to re-identify someone from "anonymous" data (either alone or by combining it with other data sources).
Before the pandemic hit the U.S., we were just starting to see Congress and regulators crack down on the invasion of Americans' location privacy. At the very end of February, days before COVID-19 effectively shut down the country, the FCC announced that it planned to impose a $200 million fine against the four major carriers (which are now about to be down to three, with the FCC's March approval of the Sprint/T-Mobile merger) for selling their subscribers' real-time location data to third parties without subscribers' consent. Now that same privacy-intrusive industry is rebranding itself as helping out in the fight against COVID-19. And I won't be surprised if we see the cell carriers point to the COVID-19 battle to try to weasel out of the fines.
President and Executive Director at Mozilla Foundation
We wrote an email to Mozilla supporters a few weeks ago with the headline, "Thank goodness for the internet!" The internet is so important to us right now. We're dancing online. Bringing out kids and pets to Zoom meetings at work. Hungrily looking for news and stats. A small upside of the pandemic is we're seeing the internet at its best.
But there is a flip side that's easy to forget: with more internet comes more data collection and more opportunity for our privacy to be invaded. Right now we're seeing that with all of the concern about Zoom's privacy stance. And people Zoombombing in really nasty ways. And we're likely to see privacy questions grow in the long term, as what look like experiments with contract tracing and apps to prove immunity to the virus — experiments that look sensible to many in the heat of a crisis — turn into long-term infringements on civil liberties.
That's what happened post-9/11: Short-term invasions of privacy that made sense in a crisis became lasting infringements on civil liberties. I've been asking myself: If we'd seen Snowden coming right after 9/11, what would we have done differently? Would we have sunset some of those laws? Built different tech or even different companies? As we see another set of Snowden-level privacy concerns emerging on the horizon post-COVID, we should be asking these questions of ourselves right now.
See who's who in Protocol's Braintrust. (Updated April 8, 2020)
Questions, comments or suggestions? Email email@example.com.