COVID-19 and the privacy problem

Like many facets of business and life, the crisis is showing us what needs to be fixed, and it's no different with privacy

Coronavirus tracing apps, temperature sensing drones, phone apps to monitor social distancing, tech giants sharing smartphone location and mobility data - the COVID-19 pandemic is revealing the many ways technology and data can be used to protect human health. But at what cost to privacy?

Collecting information about people is nothing new - governments have long conducted population data gathering in the form of a census. But now technology has enabled granular personal details on a minute-by-minute basis, both offline and online, to be collected in great swathes. It’s gold for the businesses who compete for our attention and our dollars and hunger for intelligence to guide their activities.

“It shows us something that has always been true, but that we are increasingly aware of - data is power,” Ethics Centre fellow, Dr Matt Beard, told CMO. “We have always collected data and information as a way of obtaining power. And we're continuing to do that. Now it's just there are more forms of data we can collect in a measurable, quantifiable way that we can analyse, store and process.

“There are loads of other kinds of data available to us. And we're trying to collect them at the moment because we want some level of control so that we can secure public health."

That doesn't necessarily mean we shouldn't ask questions about the way in which that is trying to be achieved, however. Dr Beard noted particular questions around the risks that arise from that, who those risks flow to and who is left out of the solution.

Selling the COVIDSafe app

The big questions right now are around the COVIDSafe app. Can the nation’s chief marketer sell the benefits over the perceived risks of a tracing app?

The government has been at pains to reassure citizens their data will be protected and their privacy assured if they use the COVIDSafe app. It has introduced new public health information legislation to protect privacy, which comes on top of protections under the Biosecurity Act, and published a privacy impact assessment. Yet it has not released any of the source code as promised.

Legal and privacy experts, such as UNSW faculty of law senior lecturer, Katharine Kemp, and UNSW professor of law and information systems, Graham Greenleaf, have written the app collects far more data than the government has admitted.

They point out the Privacy Impact Assessment found the app records and shares to the central data store – if a user who tests positive consents – data about other users who were in range of Bluetooth even for a minute within the preceding 21 days. Ministers have said the app would only collect data of other app users within 1.5 metres, for at least 15 minutes. When a user tests positive, the app would allow the user to consent to the upload of only those contacts.

For Dr Beard, privacy concerns about the COVIDSafe app show the enormous trust required for people to adopt the app, like they have accepted severe Covid-related restrictions. The intended goal is for the greater good of limiting the spread of the virus and keeping people safe. But the app is requiring a big public marketing campaign, official reassurances and new laws.

"There are absolutely obligations we have to the group and times when we have to set aside our individual convenience and self-interest in order for the group to benefit," he said. "That’s what it means to be a citizen.

“In principle that makes sense, but when you look at the context and specifics, the framing of this has been problematic. It’s ‘are you willing to do this or not’ without necessarily providing people with enough information to make a reasonable choice."

The lack of information includes selling the app as though it were protection “like sunscreen', giving the impression it has preventative powers from virus infection. It’s presented as a solution to a problem, rather than a tool with a specific purpose. Beard stressed it’s crucial to think about the value that can be conveyed by the tracing app, and to have an appropriate mode of communication to secure reasonable trust.

“The important thing to think about is what kind of conversation needs to take place and what kind of messaging needs to take place from the government so that we could say that the people who either are using the app or are not using the app are doing so with good justification for that decision,” he said.

“In an ideal world, we would be more willing to hand over information to government as a more trusted institution that should be acting in our interest. But what we're seeing here, in terms of reluctance, is just how far government has to go in order to demonstrate that sort of trust so we can say ‘Yes, we believe you have good intentions and systems and processes and accountability and transparency. And that means we can have confidence to hand over information to you and trust it is only going to be used for the ends that have been stipulated’."

Will COVID-19 spur on privacy regulations?

It’s still early days, but one of the wider implications is whether the heightened focus on privacy will usher in new regulations when it comes to personal information, data collection and privacy. Imagine, for example, if these kinds of actions had been taken with the introduction of the MyHealth record system, the metadata laws and the proposed facial recognition database. Again, the virus has an uncomfortable way of revealing what might have been done differently.

Dentsu executive director, data and analytics, John Price, anticipated the COVID-19 outbreak will be a catalyst that accelerates development of ethics and regulations around consumer data use.

“Much of the debate about the implementation of the Australian Government’s COVID-19 tracking application has been driven by consumer fear of the worst possible outcomes,” said Price. “As legislators and consumers become better informed about the mechanics of relevant technologies, we will see increased willingness by the market to adapt ethics and regulations that make sense where there is a clear societal or consumer benefit to evolve."

In Dentsu’s Data Consciousness Project research conducted during late 2019, 49 per cent of Australian consumers agreed sharing personal data is a necessary part of the modern economy. In addition, three quarters believed government needed to play a bigger role in regulation of its usage. 

“As we improve education and awareness of data security and data privacy in the market, we will see public responses shift focus from prevention and blockage of data use toward identifying how to reap the benefits of personal data sharing while ensuring there are relevant circuit breakers to apply appropriate limitations,” said Price.

“Moving forward, brands and government organisations working with consumer data will need to provide upfront transparency with their consumers and constituents. Doing this via extended terms and conditions is also not the answer."

Price cited a recently an assessment that found the average time it takes to read terms and conditions of major technology platforms ranges from 10 minutes to more than an hour.

“Consumers are generally aware the use of their data is part of improving their customer experience, so being clear with them in simple ways on how you are using their data will help establish and maintain their trust in your brand,” he said.

According to LogRhythm CMO, Cindy Zhou, the COVID-19 pandemic has resulted in many businesses facing data privacy questions as they monitor the impact of the virus on their organisation.

“In response to these concerns, we have seen international authorities take action to encourage, and in some instances require organisations to monitor and respond to these evolving cybersecurity and data privacy issues,” she told CMO.

“Marketers are faced with more regulation and stricter guidelines on our ability to procure contacts, yet the lead generation expectations are high. The idea of a worldwide privacy framework is hard to fathom right now, but I believe is needed to ensure consistency in how we manage privacy and consent. The current landscape of GDPR in Europe, California's CCPA, and Canada's CASL have nuances in the text that creates confusion for global marketers.”

Beyond the current period, Zhou saw the need for a clear and accurate public statement from authorities about what personal data is being collected, why it is being collected, with whom (if anyone) it will be shared, how it will be secured, and how long it will be retained.

However, there are those who believe a world-wide privacy framework is exponentially more complex. Attivo Networks CMO, Carolyn Crandall, said a framework detailing minimum handling and safety measures could help protect our personal information, yet creating a centralised database that attackers would aggressively target in order to modify, steal or destroy data is extremely risky.

“It could also create opportunities for violating an individual’s privacy - having all the data in one place might allow for undesired correlation of information and its potential misuse by adversaries or portions of government overstepping their intended boundaries,” she warned.

Avoiding the ‘honey pot’ risk may entail common requirements over a common storehouse of data. There are precedents for regional compliance structures that enable the free flow of data while imposing uniform data protection requirements such as the APEC Privacy Framework and EU-US and Swiss-US Privacy Shield Framework. These could serve as a model, according to CrowdStrike VP and counsel, privacy and cyber policy, Drew Bagley.

He noted recent legislative developments globally have included common requirements such as incorporating privacy-by-design, implementing cybersecurity, and reporting data breaches if they are likely to pose a risk to individuals. “Accordingly, a global framework focused on these common requirements could provide a practical means to incentivise the adoption of more uniform data protection practices,” he said.

Bagley explained a global policy framework could include a flexible, principles-based approach, rather than prescriptive requirements, an acknowledgement that not all data is created equal. Some data types, for instance, are more sensitive than others. Then there are other considerations such as data processing transparency, incentives to adopt new safeguards as threats evolve, and support for global data flows needed for innovative technologies often dependent on dynamic cross-border data transfers.

Up next: Redefining privacy as a human right

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Latest Videos

More Videos

Modernization on marketing to promote products and business is really a big leap especially the age of social media. Thanks for sharing s...

Brayden Manchee

How National Tiles used digital personalisation to deliver 15 per cent of revenue online

Read more

Great write-up. I wrote an article about ASMR as well and the top ASMRtists:https://medium.com/illumina...

Dexx Mason

ASMR: Flash in the marketing pan, or something more?

Read more

Nice to be visiting your blog once more, it has been months for me. best mp3 converter

Yolanda R. Skillman

Melbourne Fashion Week: Using digital and insight to drive engagement and attendance

Read more

Typically I visit your web journals and get refreshed through the data you incorporate yet the present blog would be the most obvious bes...

Yolanda R. Skillman

What automated design is going to do to 3D printing and product customisation

Read more

I am overpowered by your post with such a decent theme. best mp3 converter

Yolanda R. Skillman

Report: Accountability key to marketing's influence in business

Read more

Blog Posts

Taking back control of your tech

To win in customer experience, brands need to take back control of their technology.

Michael Titshall

VP, managing director, R/GA Australia

Brands with internal customer insights capability will survive and even thrive

According to The Australian Bureau of Statistics, two-thirds of Australian businesses across all sectors have reported taking a hit to revenue or cash flow due to COVID-19. About one in 10 said they have paused trading altogether. In 70 per cent of cases, this was due to COVID-19.

Pip Stocks

CEO of BrandHook and founder of Hearsay

Before corona (BC) and after corona (AC)

Our corporate structures are long hardwired into our psyche and state of mind. Are years and years of engrained behaviour versus a few weeks of ‘new’ during COVID-19 really going to make that much impact?

Fiona Johnston

CEO, UM Australia

Sign in