CMO

COVID-19 and the privacy problem

Like many facets of business and life, the crisis is showing us what needs to be fixed, and it's no different with privacy

Coronavirus tracing apps, temperature sensing drones, phone apps to monitor social distancing, tech giants sharing smartphone location and mobility data - the COVID-19 pandemic is revealing the many ways technology and data can be used to protect human health. But at what cost to privacy?

Collecting information about people is nothing new - governments have long conducted population data gathering in the form of a census. But now technology has enabled granular personal details on a minute-by-minute basis, both offline and online, to be collected in great swathes. It’s gold for the businesses who compete for our attention and our dollars and hunger for intelligence to guide their activities.

“It shows us something that has always been true, but that we are increasingly aware of - data is power,” Ethics Centre fellow, Dr Matt Beard, told CMO. “We have always collected data and information as a way of obtaining power. And we're continuing to do that. Now it's just there are more forms of data we can collect in a measurable, quantifiable way that we can analyse, store and process.

“There are loads of other kinds of data available to us. And we're trying to collect them at the moment because we want some level of control so that we can secure public health."

That doesn't necessarily mean we shouldn't ask questions about the way in which that is trying to be achieved, however. Dr Beard noted particular questions around the risks that arise from that, who those risks flow to and who is left out of the solution.

Selling the COVIDSafe app

The big questions right now are around the COVIDSafe app. Can the nation’s chief marketer sell the benefits over the perceived risks of a tracing app?

The government has been at pains to reassure citizens their data will be protected and their privacy assured if they use the COVIDSafe app. It has introduced new public health information legislation to protect privacy, which comes on top of protections under the Biosecurity Act, and published a privacy impact assessment. Yet it has not released any of the source code as promised.

Legal and privacy experts, such as UNSW faculty of law senior lecturer, Katharine Kemp, and UNSW professor of law and information systems, Graham Greenleaf, have written the app collects far more data than the government has admitted.

They point out the Privacy Impact Assessment found the app records and shares to the central data store – if a user who tests positive consents – data about other users who were in range of Bluetooth even for a minute within the preceding 21 days. Ministers have said the app would only collect data of other app users within 1.5 metres, for at least 15 minutes. When a user tests positive, the app would allow the user to consent to the upload of only those contacts.

For Dr Beard, privacy concerns about the COVIDSafe app show the enormous trust required for people to adopt the app, like they have accepted severe Covid-related restrictions. The intended goal is for the greater good of limiting the spread of the virus and keeping people safe. But the app is requiring a big public marketing campaign, official reassurances and new laws.

"There are absolutely obligations we have to the group and times when we have to set aside our individual convenience and self-interest in order for the group to benefit," he said. "That’s what it means to be a citizen.

“In principle that makes sense, but when you look at the context and specifics, the framing of this has been problematic. It’s ‘are you willing to do this or not’ without necessarily providing people with enough information to make a reasonable choice."

The lack of information includes selling the app as though it were protection “like sunscreen', giving the impression it has preventative powers from virus infection. It’s presented as a solution to a problem, rather than a tool with a specific purpose. Beard stressed it’s crucial to think about the value that can be conveyed by the tracing app, and to have an appropriate mode of communication to secure reasonable trust.

“The important thing to think about is what kind of conversation needs to take place and what kind of messaging needs to take place from the government so that we could say that the people who either are using the app or are not using the app are doing so with good justification for that decision,” he said.

“In an ideal world, we would be more willing to hand over information to government as a more trusted institution that should be acting in our interest. But what we're seeing here, in terms of reluctance, is just how far government has to go in order to demonstrate that sort of trust so we can say ‘Yes, we believe you have good intentions and systems and processes and accountability and transparency. And that means we can have confidence to hand over information to you and trust it is only going to be used for the ends that have been stipulated’."

Will COVID-19 spur on privacy regulations?

It’s still early days, but one of the wider implications is whether the heightened focus on privacy will usher in new regulations when it comes to personal information, data collection and privacy. Imagine, for example, if these kinds of actions had been taken with the introduction of the MyHealth record system, the metadata laws and the proposed facial recognition database. Again, the virus has an uncomfortable way of revealing what might have been done differently.

Dentsu executive director, data and analytics, John Price, anticipated the COVID-19 outbreak will be a catalyst that accelerates development of ethics and regulations around consumer data use.

“Much of the debate about the implementation of the Australian Government’s COVID-19 tracking application has been driven by consumer fear of the worst possible outcomes,” said Price. “As legislators and consumers become better informed about the mechanics of relevant technologies, we will see increased willingness by the market to adapt ethics and regulations that make sense where there is a clear societal or consumer benefit to evolve."

In Dentsu’s Data Consciousness Project research conducted during late 2019, 49 per cent of Australian consumers agreed sharing personal data is a necessary part of the modern economy. In addition, three quarters believed government needed to play a bigger role in regulation of its usage. 

“As we improve education and awareness of data security and data privacy in the market, we will see public responses shift focus from prevention and blockage of data use toward identifying how to reap the benefits of personal data sharing while ensuring there are relevant circuit breakers to apply appropriate limitations,” said Price.

“Moving forward, brands and government organisations working with consumer data will need to provide upfront transparency with their consumers and constituents. Doing this via extended terms and conditions is also not the answer."

Price cited a recently an assessment that found the average time it takes to read terms and conditions of major technology platforms ranges from 10 minutes to more than an hour.

“Consumers are generally aware the use of their data is part of improving their customer experience, so being clear with them in simple ways on how you are using their data will help establish and maintain their trust in your brand,” he said.

According to LogRhythm CMO, Cindy Zhou, the COVID-19 pandemic has resulted in many businesses facing data privacy questions as they monitor the impact of the virus on their organisation.

“In response to these concerns, we have seen international authorities take action to encourage, and in some instances require organisations to monitor and respond to these evolving cybersecurity and data privacy issues,” she told CMO.

“Marketers are faced with more regulation and stricter guidelines on our ability to procure contacts, yet the lead generation expectations are high. The idea of a worldwide privacy framework is hard to fathom right now, but I believe is needed to ensure consistency in how we manage privacy and consent. The current landscape of GDPR in Europe, California's CCPA, and Canada's CASL have nuances in the text that creates confusion for global marketers.”

Beyond the current period, Zhou saw the need for a clear and accurate public statement from authorities about what personal data is being collected, why it is being collected, with whom (if anyone) it will be shared, how it will be secured, and how long it will be retained.

However, there are those who believe a world-wide privacy framework is exponentially more complex. Attivo Networks CMO, Carolyn Crandall, said a framework detailing minimum handling and safety measures could help protect our personal information, yet creating a centralised database that attackers would aggressively target in order to modify, steal or destroy data is extremely risky.

“It could also create opportunities for violating an individual’s privacy - having all the data in one place might allow for undesired correlation of information and its potential misuse by adversaries or portions of government overstepping their intended boundaries,” she warned.

Avoiding the ‘honey pot’ risk may entail common requirements over a common storehouse of data. There are precedents for regional compliance structures that enable the free flow of data while imposing uniform data protection requirements such as the APEC Privacy Framework and EU-US and Swiss-US Privacy Shield Framework. These could serve as a model, according to CrowdStrike VP and counsel, privacy and cyber policy, Drew Bagley.

He noted recent legislative developments globally have included common requirements such as incorporating privacy-by-design, implementing cybersecurity, and reporting data breaches if they are likely to pose a risk to individuals. “Accordingly, a global framework focused on these common requirements could provide a practical means to incentivise the adoption of more uniform data protection practices,” he said.

Bagley explained a global policy framework could include a flexible, principles-based approach, rather than prescriptive requirements, an acknowledgement that not all data is created equal. Some data types, for instance, are more sensitive than others. Then there are other considerations such as data processing transparency, incentives to adopt new safeguards as threats evolve, and support for global data flows needed for innovative technologies often dependent on dynamic cross-border data transfers.

Up next: Redefining privacy as a human right

Page Break


Redefining privacy as a human right

A discussion around privacy can’t be had without looking at the meaning of privacy. For the Ethics Centre’s Dr Beard, it;s about acknowledging our understanding of privacy changes depending on the context.

When it comes to the argument that Google, Apple and other tech companies already know everything about us, so why be concerned about a tracing app, for example, the discussion has lost its context.

“Context really matters,” Dr Beard said. “And what people are willing to give up in exchange for community health and wellbeing by comparison to what they might be willing to give up in exchange for some other goods. That’s going to be variable and that needs to be part of the conversation.

“It highlights an important distinction that needs to be made between how we respond in terms of the data we are willing to hand off in our capacity as consumers engaging with organisations, and what kind of information we are willing to hand off in our in our relationship with government.”

It's clear we will continue to have conversations around data in a range of different contexts. "Hopefully what we can do is learn from what the conversation looks like in regard to the COVIDSafe app and find relevant analogies when we're having privacy conversations in different contexts,” Dr Beard said.

Australian Privacy Foundation chair, David Vaile, told CMO there needs to be better transparency around the collection and use of personal information to protect people’s privacy. He also believes informed consent is a key plank of privacy protections.

When it comes to something like the COVIDSafe app, it’s about providing protocols for communication, source code, data structures and design specifications. When it comes to business, it’s about being transparent about what personal information is collected and for what purposes.

But, Vaile said, informed consent is largely missing. When people don’t have proper visibility or understanding about whether their privacy is being protected by digital platforms and businesses, it can give rise to “techlash”, a backlash against the tech giants like Google and Facebook as well as behavioural marketing outfits.

“It becomes about trying to develop a psychographic profile to nudge you in certain ways. You shouldn’t be tempted to click a button because it’s a your favourite colour, and personalisation can do that,” Vaile said.

One of the ways of strengthening privacy in Australian is enabling people to sue for breach of privacy, Vaile continued. This provision doesn’t currently exist in Australia.

“It’s been recommended by five reviews over the last 30 years and we really are the odd one out in relation to other countries that have this right," he said. "What this means is that individuals are left on their own and there’s no protection and no restraint. There's no ability to sue as an individual or in a class action for breaches.

“And what you get is people who do the right thing, seeing others who are much more exploitative and intrusive getting away with it. It’s a market failure. But it’s good the ACCC is looking at some of this in its inquiries to hopefully improve the operation of the market as well as giving people more protection.”

Privacy and the protection of personal information needs to be viewed as human right with the same protections extended into the digital realm that exist in the off-line world, according to Ping Identity chief customer officer, Richard Bird. He suggested current privacy concerns reveal how governments, not just Australia, have shown very little regard for actually protecting people and their data.

“The government and corporate enterprise track record of protecting citizens and consumers is pretty terrible,” said Bird.

Bird recommended a uniform worldwide privacy framework to address what has been missing in the designs for digital privacy up to this point. “It is about extending our rights as citizens, for those who live in free democracies, into the digital realm," he said.

"We need to stop treating the digital world as if it is separate and apart from the real world, from the analogue world. It is not.

Privacy in the digital world can only be achieved by recognising we are protecting the rights of our citizens, our consumers, our employees, of all humankind. It's not just protecting someone’s information held in some database somewhere.”

Follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page, or join us on Facebook: https://www.facebook.com/CMOAustralia.