COVID-19 and the privacy problem

Like many facets of business and life, the crisis is showing us what needs to be fixed, and it's no different with privacy

Coronavirus tracing apps, temperature sensing drones, phone apps to monitor social distancing, tech giants sharing smartphone location and mobility data - the COVID-19 pandemic is revealing the many ways technology and data can be used to protect human health. But at what cost to privacy?

Collecting information about people is nothing new - governments have long conducted population data gathering in the form of a census. But now technology has enabled granular personal details on a minute-by-minute basis, both offline and online, to be collected in great swathes. It’s gold for the businesses who compete for our attention and our dollars and hunger for intelligence to guide their activities.

“It shows us something that has always been true, but that we are increasingly aware of - data is power,” Ethics Centre fellow, Dr Matt Beard, told CMO. “We have always collected data and information as a way of obtaining power. And we're continuing to do that. Now it's just there are more forms of data we can collect in a measurable, quantifiable way that we can analyse, store and process.

“There are loads of other kinds of data available to us. And we're trying to collect them at the moment because we want some level of control so that we can secure public health."

That doesn't necessarily mean we shouldn't ask questions about the way in which that is trying to be achieved, however. Dr Beard noted particular questions around the risks that arise from that, who those risks flow to and who is left out of the solution.

Selling the COVIDSafe app

The big questions right now are around the COVIDSafe app. Can the nation’s chief marketer sell the benefits over the perceived risks of a tracing app?

The government has been at pains to reassure citizens their data will be protected and their privacy assured if they use the COVIDSafe app. It has introduced new public health information legislation to protect privacy, which comes on top of protections under the Biosecurity Act, and published a privacy impact assessment. Yet it has not released any of the source code as promised.

Legal and privacy experts, such as UNSW faculty of law senior lecturer, Katharine Kemp, and UNSW professor of law and information systems, Graham Greenleaf, have written the app collects far more data than the government has admitted.

They point out the Privacy Impact Assessment found the app records and shares to the central data store – if a user who tests positive consents – data about other users who were in range of Bluetooth even for a minute within the preceding 21 days. Ministers have said the app would only collect data of other app users within 1.5 metres, for at least 15 minutes. When a user tests positive, the app would allow the user to consent to the upload of only those contacts.

For Dr Beard, privacy concerns about the COVIDSafe app show the enormous trust required for people to adopt the app, like they have accepted severe Covid-related restrictions. The intended goal is for the greater good of limiting the spread of the virus and keeping people safe. But the app is requiring a big public marketing campaign, official reassurances and new laws.

"There are absolutely obligations we have to the group and times when we have to set aside our individual convenience and self-interest in order for the group to benefit," he said. "That’s what it means to be a citizen.

“In principle that makes sense, but when you look at the context and specifics, the framing of this has been problematic. It’s ‘are you willing to do this or not’ without necessarily providing people with enough information to make a reasonable choice."

The lack of information includes selling the app as though it were protection “like sunscreen', giving the impression it has preventative powers from virus infection. It’s presented as a solution to a problem, rather than a tool with a specific purpose. Beard stressed it’s crucial to think about the value that can be conveyed by the tracing app, and to have an appropriate mode of communication to secure reasonable trust.

“The important thing to think about is what kind of conversation needs to take place and what kind of messaging needs to take place from the government so that we could say that the people who either are using the app or are not using the app are doing so with good justification for that decision,” he said.

“In an ideal world, we would be more willing to hand over information to government as a more trusted institution that should be acting in our interest. But what we're seeing here, in terms of reluctance, is just how far government has to go in order to demonstrate that sort of trust so we can say ‘Yes, we believe you have good intentions and systems and processes and accountability and transparency. And that means we can have confidence to hand over information to you and trust it is only going to be used for the ends that have been stipulated’."

Will COVID-19 spur on privacy regulations?

It’s still early days, but one of the wider implications is whether the heightened focus on privacy will usher in new regulations when it comes to personal information, data collection and privacy. Imagine, for example, if these kinds of actions had been taken with the introduction of the MyHealth record system, the metadata laws and the proposed facial recognition database. Again, the virus has an uncomfortable way of revealing what might have been done differently.

Dentsu executive director, data and analytics, John Price, anticipated the COVID-19 outbreak will be a catalyst that accelerates development of ethics and regulations around consumer data use.

“Much of the debate about the implementation of the Australian Government’s COVID-19 tracking application has been driven by consumer fear of the worst possible outcomes,” said Price. “As legislators and consumers become better informed about the mechanics of relevant technologies, we will see increased willingness by the market to adapt ethics and regulations that make sense where there is a clear societal or consumer benefit to evolve."

In Dentsu’s Data Consciousness Project research conducted during late 2019, 49 per cent of Australian consumers agreed sharing personal data is a necessary part of the modern economy. In addition, three quarters believed government needed to play a bigger role in regulation of its usage. 

“As we improve education and awareness of data security and data privacy in the market, we will see public responses shift focus from prevention and blockage of data use toward identifying how to reap the benefits of personal data sharing while ensuring there are relevant circuit breakers to apply appropriate limitations,” said Price.

“Moving forward, brands and government organisations working with consumer data will need to provide upfront transparency with their consumers and constituents. Doing this via extended terms and conditions is also not the answer."

Price cited a recently an assessment that found the average time it takes to read terms and conditions of major technology platforms ranges from 10 minutes to more than an hour.

“Consumers are generally aware the use of their data is part of improving their customer experience, so being clear with them in simple ways on how you are using their data will help establish and maintain their trust in your brand,” he said.

According to LogRhythm CMO, Cindy Zhou, the COVID-19 pandemic has resulted in many businesses facing data privacy questions as they monitor the impact of the virus on their organisation.

“In response to these concerns, we have seen international authorities take action to encourage, and in some instances require organisations to monitor and respond to these evolving cybersecurity and data privacy issues,” she told CMO.

“Marketers are faced with more regulation and stricter guidelines on our ability to procure contacts, yet the lead generation expectations are high. The idea of a worldwide privacy framework is hard to fathom right now, but I believe is needed to ensure consistency in how we manage privacy and consent. The current landscape of GDPR in Europe, California's CCPA, and Canada's CASL have nuances in the text that creates confusion for global marketers.”

Beyond the current period, Zhou saw the need for a clear and accurate public statement from authorities about what personal data is being collected, why it is being collected, with whom (if anyone) it will be shared, how it will be secured, and how long it will be retained.

However, there are those who believe a world-wide privacy framework is exponentially more complex. Attivo Networks CMO, Carolyn Crandall, said a framework detailing minimum handling and safety measures could help protect our personal information, yet creating a centralised database that attackers would aggressively target in order to modify, steal or destroy data is extremely risky.

“It could also create opportunities for violating an individual’s privacy - having all the data in one place might allow for undesired correlation of information and its potential misuse by adversaries or portions of government overstepping their intended boundaries,” she warned.

Avoiding the ‘honey pot’ risk may entail common requirements over a common storehouse of data. There are precedents for regional compliance structures that enable the free flow of data while imposing uniform data protection requirements such as the APEC Privacy Framework and EU-US and Swiss-US Privacy Shield Framework. These could serve as a model, according to CrowdStrike VP and counsel, privacy and cyber policy, Drew Bagley.

He noted recent legislative developments globally have included common requirements such as incorporating privacy-by-design, implementing cybersecurity, and reporting data breaches if they are likely to pose a risk to individuals. “Accordingly, a global framework focused on these common requirements could provide a practical means to incentivise the adoption of more uniform data protection practices,” he said.

Bagley explained a global policy framework could include a flexible, principles-based approach, rather than prescriptive requirements, an acknowledgement that not all data is created equal. Some data types, for instance, are more sensitive than others. Then there are other considerations such as data processing transparency, incentives to adopt new safeguards as threats evolve, and support for global data flows needed for innovative technologies often dependent on dynamic cross-border data transfers.

Up next: Redefining privacy as a human right

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Latest Videos

More Videos

Great piece Katja. It will be fascinating to see how the shift in people's perception of value will affect design, products and services ...

Paul Scott

How to design for a speculative future - Customer Design - CMO Australia

Read more

Google collects as much data as it can about you. It would be foolish to believe Google cares about your privacy. I did cut off Google fr...

Phil Davis

ACCC launches fresh legal challenge against Google's consumer data practices for advertising

Read more

“This new logo has been noticed and it replaces a logo no one really knew existed so I’d say it’s abided by the ‘rule’ of brand equity - ...

Lawrence

Brand Australia misses the mark

Read more

IMHO a logo that needs to be explained really doesn't achieve it's purpose.I admit coming to the debate a little late, but has anyone els...

JV_at_lAttitude_in_Cairns

Brand Australia misses the mark

Read more

Hi everyone! Hope you are doing well. I just came across your website and I have to say that your work is really appreciative. Your conte...

Rochie Grey

Will 3D printing be good for retail?

Read more

Blog Posts

How to design for a speculative future

For a while now, I have been following a fabulous design strategy and research colleague, Tatiana Toutikian, a speculative designer. This is someone specialising in calling out near future phenomena, what the various aspects of our future will be, and how the design we create will support it.

Katja Forbes

Managing director of Designit, Australia and New Zealand

The obvious reason Covidsafe failed to get majority takeup

Online identity is a hot topic as more consumers are waking up to how their data is being used. So what does the marketing industry need to do to avoid a complete loss of public trust, in instances such as the COVID-19 tracing app?

Dan Richardson

Head of data, Verizon Media

Brand or product placement?

CMOs are looking to ensure investment decisions in marketing initiatives are good value for money. Yet they are frustrated in understanding the value of product placements within this mix for a very simple reason: Product placements are broadly defined and as a result, mean very different things to different people.

Michael Neale and Dr David Corkindale

University of Adelaide Business School and University of South Australia

Sign in