Companies and governments worldwide are using various digital tools to fight COVID-19 and adjust to the new normal. These tools, which often involve the use of personal data, have raised valid privacy concerns.
In this article, we take a look at data privacy issues rising from COVID-19.
Contact Tracing Apps
Governments are rolling out mobile contact tracing apps to notify people of the spread of potential exposures and help local health agencies trace and contain COVID-19. According to Amnesty International, over 45 countries have or plan to roll out contact training apps. Some of these apps use personal data and have the potential to put users’ privacy at risk.
For instance, the rush to push out contact tracing apps has led to the development of poorly designed apps that can be easily exploited by cyberhackers to gain access to a user’s data. Security Lab discovered security vulnerabilities in Qatar’s mandatory contact tracing app, EHTERAZ, that would have allowed attackers to access the personal information of over 1 million people, including name, national ID, health status, and location data.
Data re-identification is another privacy problem that comes with the use of personal data in contact tracing apps. To keep personal data private, some contact tracing apps use anonymized data. However, studies have shown that people can be reidentified from random data points. For instance, cybercriminals or governments can combine location data such as cell phone data with other publicly available data, like home addresses to identify an individual.
How contact tracing apps store personal data have also been a topic of data privacy discussions. Privacy advocates argue that contact tracing apps that use centralized databases controlled by government or local health officials can be leveraged for other purposes beyond public health.
Privacy advocates suggest that the use of decentralized infrastructure will better enhance privacy. With decentralized infrastructure, data is stored on a user’s device and they can control how that data is used.
Despite privacy complaints, contact tracing apps have a role to play in the fight against the spread of COVID-19. Governments will have to assure individuals that their data will be managed carefully and remain private.
Temperature Checks
As stores reopen, retailers are carrying out temperature checks to screen customers before they can enter their stores. While temperature checks aim to control the spread of COVID-19, it prompts discussions around consumer privacy. A regional German data protection office has already launched a probe into whether customer temperature checks at Apple Stores “violates EU privacy rules.”
One data privacy regulation that will be on the front burner due to COVID-19 temperature checks is the California Consumer Privacy Act (CCPA). Under the CCPA, a subject business that collects a California resident’s “personal information” must, among other things, notify consumers when their personal information is being collected and the purposes for which the information will be used.
This means that businesses operating in California that maintain a record of the name and temperature reading of a customer may need to consider their compliance with the California Consumer Privacy Act (CCPA) or face costly litigation.
Screening devices used to carry out temperature checks may also breach biometric privacy laws. For instance, contactless infrared thermometers use biometric data such as facial geometry to measure temperature. Such equipment could implicate the Illinois Biometric Information Privacy Act (“BIPA”), which has strict notice, disclosure, and consent requirements.
To be on the safe side of biometric and consumer laws, before rolling out temperature screenings, experts advise that you:
- Understand the thermometer technology selected and the data it captures.
- Obtain consent before any temperature screening.
- Publicly notify customers about what information will or will not be collected.
- Consult with experts before implementing procedures which may collect physiological information about consumers.
Video Platforms
With 88% of organizations encouraging or requiring their employees to work from home to slow the spread of the COVID-19, video conferencing platforms are seeing an increase in use. CNBC noted that in February 2020, Zoom added 2.2 million users while in 2019 it added 1.9 million. Similarly, video calls in Teams grew by over 1,000 percent in the month of March.
However, this rapid ascension has led to more spotlight on the privacy practices of video conferencing platforms. Below are three issues that have raised concerns:
End-to-end encryption: Some video conferencing platforms don’t support end-to-end encryption that prevents private information from being read or secretly modified by a third party such as law enforcement, service providers, and cyber-criminals. For example, before Zoom’s security update plans, the platform didn’t offer end-to-end encryption. This means anyone could gain access to users’ unencrypted video content.
Privacy Features: Strong privacy features are key to ensuring individuals hold conversations in a secure virtual environment. Therefore, video conferencing platforms which allow individuals to have weak passwords or join meetings without having a password, put individual privacy at risk as unauthorized individuals can join meetings. Tech Crunch reported that several Zoom users experienced Zoom boomings that had their calls intercepted by trolls.
Data Sharing: Video conferencing platforms have broad privacy policies that enable them to collect a range of personal data from users to provide agreed-upon services. However, some platforms share this personal data collected with third parties without users’ consent for advertising purposes. For instance, Zoom’s iOS app was sending analytics data to Facebook without users’ permission, Vice reported. This data included the user’s location and the device’s advertiser identifier information that lets companies send individuals targeted ads.
While Zoom is in the news, it isn’t the only video conferencing platform with data privacy failures. House Party is another app that has a questionable privacy policy.
Given the above, here are some things to keep in mind when using video conferencing platforms:
- Read privacy policies to be sure who your personal data is being shared with, and what purposes it will be used for.
- Restrict file sharing in shared ‘chat’ facility so intruders aren’t able to receive private documents or send malware disguised as an attachment to other attendees of the call.
- Don’t discuss confidential topics or share private information on video conferencing platforms. Use email or the phone instead.
- Use passwords to protect meetings and never share private meeting IDs in public including social media.
As the world battles COVID-19, data privacy will continue to remain a hot topic and there will be more spotlight on how businesses handle customer data. So, now is an excellent time to review your data privacy policy, update them if necessary, and put strategies in place to keep customer data safe. We’ll probably see more countries enact data privacy laws, so be on the lookout for those.